VLAN Maps

1© 2003, Cisco Systems, Inc. All rights reserved.

VLAN Maps


• The steps involved in implementing VLAN access lists:1. Define VLAN Access Map. To define a VLAN access-map use the command:

Switch(config)# vlan access-map <map-name) [sequence-number].Access map statements are performed according to the sequence number.

2. Define matching conditions to identify traffic to be filtered. Use the access-map configuration command:

Switch(config-access-map)# match {ip address {acl-address {<acl-number> |<acl name>}} | {mac address <acl-name>}3. Define the action to be performed on the filtered traffic. Use the command:

Switch(config-access-map)# action {drop | forward [capture] | redirect <interface type> <mod>/<num>}

4. Apply the VACL to a VLAN interface. Use the global configuration command:

Switch(config)# vlan filter <map-name> vlan-list <list-of-vlans-here>


Scenario

• Build and configure network

• Create VLAN 100 on switch.

• Client pool of addresses 192.168.100.1-192.168.100.254

• Allow Accounting Supervisors (Hosts 192.168.100.9-15/24) to reach the Accounting Server (192.168.100.254)

• Block all other clients in the designated pool from reaching the server

• Allow ALL other clients outside of the designated pool to reach the server

192.168.100.9/24 192.168.100.254/24

Fa0/3Fa0/1


VLAN Map Configuration Steps

1. Create named extended ACLs to identify source traffic

An ‘allow’ address range‘

A ‘block’ address range

The ‘default’ address range (all other traffic)

Identify traffic from specific to general

2. Create VLAN Maps using numbered compound statements

The numbered statements are executed in ascending order

and identify the appropriate action for each address range:

(action forward, action drop)

3. Apply the VLAN Map using a VLAN filter

Identify the VLAN Map name and corresponding VLAN to be filtered.


Create named Extended ACLs

Use specific Information for authorized traffic

Allow

Switch(config)#ip access-list extended AllowAcctTraffic

Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7

host 192.168.100.254 eq www



Use specific Information for authorized traffic

Allow-----Block



host 192.168.100.254 eq www

Switch(config)#ip access-list extended BlockAcctTraffic


host 192.168.100.254 eq www



• Use specific Information for authorized traffic

• Allow-----Block-----Default



host 192.168.100.254 eq www



host 192.168.100.254 eq www

Switch(config)#ip access-list extended DefaultAcctTraffic

Switch(config-ext-nacl)#permit ip any any


Create VLAN Access Map

Switch(config)# vlan access-map AcctTrafficMap 10

Switch(config-access-map)# match ip address AllowAcctTraffic

Switch(config-access-map)#action forward

Switch(config-access-map)#exit








Switch(config-access-map)# match ip address BlockAcctTraffic

Switch(config-access-map)#action drop













Switch(config-access-map)# match ip address DefaultAcctTraffic


Switch(config-access-map)#end


Create VLAN Filter & Apply to correct VLAN

Switch(config)#vlan filter AcctTrafficMap vlan-list 100

To verfiy: show vlan filter


Corresponding parts-AllowNamed ACL & VLAN Map

Allow



host 192.168.100.254 eq www

. . . . .





. . . . .



Corresponding parts-BlockNamed ACL & VLAN Map

Block



host 192.168.100.254 eq www

. . . . .





. . . . .



Corresponding parts-DefaultNamed ACL & VLAN Map

Default

Switch(config)#ip access-list extended DefaultAcctTraffic

Switch(config-ext-nacl)#permit ip any any

. . . . .


Switch(config-access-map)# match ip address DefaultAcctTraffic



. . . . .



Verify Configuration---Test Connectivity

To verify configuration, use

show vlan access-map

To test connectivity or blocked connectivity

Add clients with appropriate IP addresses

or use extended ping commands

Documents

VLAN Maps