Denying Access To A Server On Another Vlan - Cisco 4500M Software Manual

Configuring VLAN Maps

Denying Access to a Server on Another VLAN

Figure 35-4
10.1.1.100 in VLAN 10 has the following access restrictions:
•
•
Figure 35-4 Deny Access to a Server on Another VLAN
10.1.1.100
10.1.1.4
10.1.1.8
This procedure configures ACLs with VLAN maps to deny access to a server on another VLAN. The
VLAN map SERVER 1_ACL denies access to hosts in subnet 10.1.2.0/8, host 10.1.1.4, and host
10.1.1.8. Then it permits all other IP traffic. In Step 3, VLAN map SERVER1 is applied to VLAN 10.
To configure this scenario, you could take the following steps:
Define the IP ACL to match and permit the correct packets.
Step 1
Switch(config)# ip access-list extended SERVER1_ACL
Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100
Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100
Switch(config-ext-nacl))# exit
Step 2 Define a VLAN map using the ACL to drop IP packets that match SERVER1_ACL and forward IP
packets that do not match the ACL.
Switch(config)# vlan access-map SERVER1_MAP
Switch(config-access-map)# match ip address SERVER1_ACL
Switch(config-access-map)# action drop
Switch(config)# vlan access-map SERVER1_MAP 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Apply the VLAN map to VLAN 10.
Step 3
Switch(config)# vlan filter SERVER1_MAP vlan-list 10.
Software Configuration Guide—Release 12.2(25)EW
35-18
shows how to restrict access to a server on another VLAN. In this example, server
Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
VLAN map
Server (VLAN 10)
Host (VLAN 10)
Host (VLAN 10)
Catalyst 4500 series switch
Chapter 35 Configuring Network Security with ACLs
Subnet
10.1.2.0/8
Host (VLAN 20)
Packet
OL-6696-01