Denying Access To A Server On Another Vlan - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 62 Configuring Network Security with ACLs

Denying Access to a Server on Another VLAN

Figure 62-4
10.1.1.100 in VLAN 10 has the following access restrictions:
•
•
Figure 62-4
10.1.1.100
10.1.1.4
10.1.1.8
This procedure configures ACLs with VLAN maps to deny access to a server on another VLAN. The
VLAN map SERVER 1_ACL denies access to hosts in subnet 10.1.2.0/8, host 10.1.1.4, and host
10.1.1.8. Then it permits all other IP traffic. In Step 3, VLAN map SERVER1 is applied to VLAN 10.
To configure this scenario, follow these steps:
Step 1 Define the IP ACL to match and permit the correct packets.
Switch(config)# ip access-list extended SERVER1_ACL
Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
Switch(config-ext-nacl))# exit
Define a VLAN map using the ACL to drop IP packets that match SERVER1_ACL and forward IP
Step 2
packets that do not match the ACL.
Switch(config)# vlan access-map SERVER1_MAP
Switch(config-access-map)# match ip address SERVER1_ACL
Switch(config-access-map)# action drop
Switch(config)# vlan access-map SERVER1_MAP 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Apply the VLAN map to VLAN 10.
Step 3
Switch(config)# vlan filter SERVER1_MAP vlan-list 10.
shows how to restrict access to a server on another VLAN. In this example, server
Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Deny Access to a Server on Another VLAN
VLAN map
Server (VLAN 10)
Host (VLAN 10)
Host (VLAN 10)
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Catalyst 4500 series switch
Configuring VLAN Maps
Subnet
10.1.2.0/8
Host (VLAN 20)
Packet
62-27