Using Vlan Maps In Your Network - Cisco Catalyst 4500 Series Configuration Manual

Configuring VLAN Maps
You cannot apply a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces (port
Note
ACLs).
This example shows how to apply VLAN map 1 to VLANs 20 through 22:
Switch(config)# vlan filter map 1 vlan-list 20-22

Using VLAN Maps in Your Network

Figure 51-3
connected to wiring closet switches A and C. Traffic moving from Host X to Host Y is routed by Switch
B. Access to traffic moving from Host X to Host Y can be controlled at the entry point of Switch A. In
the following configuration, the switch can support a VLAN map and a QoS classification ACL.
Figure 51-3 Wiring Closet Configuration
VLAN map: Deny HTTP
For example, if you do not want HTTP traffic to be switched from Host X to Host Y, you could apply a
VLAN map on Switch A to drop all HTTP traffic moving from Host X (IP address 10.1.1.32) to Host Y
(IP address 10.1.1.34) at Switch A and not bridge the traffic to Switch B. To configure this scenario, you
would do the following.
First, define an IP access list HTTP to permit (match) any TCP traffic on the HTTP port, as follows:
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
51-22
shows a typical wiring closet configuration. Host X and Host Y are in different VLANs,
Switch A
from X to Y
HTTP is dropped
at entry point
10.1.1.32
VLAN 1
VLAN 2
Packet
Chapter 51
Catalyst 4500 series switch
Si
Switch B
Host X Host Y
10.1.1.34
Configuring Network Security with ACLs
Switch C
OL-25340-01