VLAN Access Maps

VLAN access maps are the only way to control filtering within a VLAN. VLAN access maps have no direction—if you want to filter traffic in a specific direction, you need to include an access control list (ACL) with specific source or destination addresses. VLAN access maps do not work on the 2960 platform, but they do work on the 3560 and the 6500 platforms.

3560Switch(config)#ip accesslist extended test1

Creates a named extended ACL called test1

3560Switch(config-ext-nacl)#permit tcp any any

The first line of an extended ACL will permit any TCP packet from any source to travel to any destination address. Because there is no other line in this ACL, the implicit deny statement that is part of all ACLS will deny any other packet.


Exits named ACL configuration mode and returns to global config mode

Creates a VLAN access map named drop_TCP and moves into VLAN access map configuration mode. If no sequence number is given at the end of the command, a default number of 10 is assigned.

3560Switch(config-access- Defines what needs to occur for this action to map)#match ip address tes^ continue. In this case, packets filtered out by the named ACL test1 will be acted upon.

NOTE: You can match ACLs based on the following:

IP ACL number: 1-199 and 1300-2699 IP ACL name

IPX ACL number: 800-999

IPX ACL name

MAC address ACL name

3560Switch(config-access- Any packet that is filtered out by the ACL

map)#action drop test1 will be dropped

NOTE: You can configure the following actions:



Redirect (works only on a Catalyst 6500)


Exits access map configuration mode and returns to global config mode

3560Switch(config)#vlan filter drop_TCP vlan-list 20-30

Applies the VLAN map named drop_TCP to VLANs 20-30

NOTE: The vlan-list argument can refer to a single VLAN (26), a consecutive list (2030), or a string of VLAN IDs (12, 22, 32). Spaces around the comma and hyphen are optional.

3560Switch(config)#vlan accessmap drop_TCP

Was this article helpful?

0 0

Post a comment