Vlan Maps - Cisco Catalyst 3750 Software Configuration Manual

Understanding ACLs
These access lists are supported on Layer 2 interfaces:
•
•
•
As with router ACLs, the switch examines ACLs associated with features configured on a given interface
and permits or denies packet forwarding based on how the packet matches the entries in the ACL. ACLs
can only be applied to Layer 2 interfaces in the inbound direction. In the example in
workstations were in the same VLAN, ACLs applied at the Layer 2 input would allow Host A to access
the Human Resources network, but prevent Host B from accessing the same network.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IPv4 traffic by using IP access lists and non-IPv4 traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP
access list and a MAC access list to the interface.
You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
Note
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.

VLAN Maps

VLAN ACLs or VLAN maps can access-control all traffic. You can apply VLAN maps to all packets
that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used for security
packet filtering. VLAN maps are not defined by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All non-IPv4 protocols are
access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not
access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through
the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch
connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the
map.
in VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN.w
Figure 25-2 Using VLAN Maps to Control Traffic
Host A
(VLAN 10)
Catalyst 3750 Metro Switch Software Configuration Guide
25-4
Standard IP access lists using source addresses
Extended IP access lists using source and destination addresses and optional protocol type
information
MAC extended access lists using source and destination MAC addresses and optional protocol type
information
Figure 25-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A
= VLAN map denying specific type
of traffic from Host A
= Packet
Chapter 25 Configuring Network Security with ACLs
Host B
(VLAN 10)
Figure 25-1, if all
78-15870-01