Denying Access To A Server On Another A Vlan - Cisco Catalyst 3750-X Software Configuration Manual

Configuring VLAN Maps
Figure 37-4
VLAN map: Deny HTTP
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on
Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34)
at Switch A and not bridge it to Switch B.
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port.
Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit
Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all
other IP traffic is forwarded.
Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# ip access-list extended match_all
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 20
Switch(config-access-map)# match ip address match_all
Switch(config-access-map)# action forward
Then, apply VLAN access map map2 to VLAN 1.
Switch(config)# vlan filter map2 vlan 1

Denying Access to a Server on Another a VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs
to have access denied to these hosts (see
•
•
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
37-36
Wiring Closet Configuration
Switch A
from X to Y.
HTTP is dropped
at entry point.
VLAN 1
VLAN 2
Packet
Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Switch B
Host X Host Y
10.1.1.32 10.1.1.34
Figure 37-5):
Chapter 37 Configuring Network Security with ACLs
Switch C
OL-21521-01