Chapter 16
Configuring Access Control
Figure 16-6
Figure 16-6 Redirect DHCP Response for a Specific Server
Host A
Denying Access to a Server on Another VLAN
You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs
to have access restricted as follows (see
•
•
To deny access to a server on another VLAN, perform this task in privileged mode:
Task
Step 1
Deny traffic from hosts in subnet
10.1.2.0/8.
Step 2
Deny traffic from host 10.1.1.4.
Step 3
Deny traffic from host 10.1.1.8.
Step 4
Permit other IP traffic.
Step 5
Commit the VACL.
Step 6
Map the VACL to VLAN 10.
78-13315-02
shows that only the target server returns a DHCP response from the DHCP request.
Catalyst 6500 series switches
with PFC
VLAN 10
DHCP response packets
Hosts in subnet 10.1.2.0/24 in VLAN 20 should not have access.
Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
VACL
Figure
16-7):
Command
set security acl ip SERVER deny ip 10.1.2.0 0.0.0.255 host
10.1.1.100
set security acl ip SERVER deny ip host 10.1.1.4 host
10.1.1.100
set security acl ip SERVER deny ip host 10.1.1.8 host
10.1.1.100
set security acl ip SERVER permit ip any any
commit security acl SERVER
set security acl map SERVER 10
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Using VACLs in your Network
Target
server
1.2.3.4
Host B
Host C
16-25