Upload
enid
View
26
Download
0
Embed Size (px)
DESCRIPTION
VLAN Maps. - PowerPoint PPT Presentation
Citation preview
1© 2003, Cisco Systems, Inc. All rights reserved.
VLAN Maps
222© 2003, Cisco Systems, Inc. All rights reserved.
• The steps involved in implementing VLAN access lists:1. Define VLAN Access Map. To define a VLAN access-map use the command:
Switch(config)# vlan access-map <map-name) [sequence-number].Access map statements are performed according to the sequence number.
2. Define matching conditions to identify traffic to be filtered. Use the access-map configuration command:
Switch(config-access-map)# match {ip address {acl-address {<acl-number> |<acl name>}} | {mac address <acl-name>}3. Define the action to be performed on the filtered traffic. Use the command:
Switch(config-access-map)# action {drop | forward [capture] | redirect <interface type> <mod>/<num>}
4. Apply the VACL to a VLAN interface. Use the global configuration command:
Switch(config)# vlan filter <map-name> vlan-list <list-of-vlans-here>
333© 2003, Cisco Systems, Inc. All rights reserved.
Scenario
• Build and configure network
• Create VLAN 100 on switch.
• Client pool of addresses 192.168.100.1-192.168.100.254
• Allow Accounting Supervisors (Hosts 192.168.100.9-15/24) to reach the Accounting Server (192.168.100.254)
• Block all other clients in the designated pool from reaching the server
• Allow ALL other clients outside of the designated pool to reach the server
192.168.100.9/24 192.168.100.254/24
Fa0/3Fa0/1
444© 2003, Cisco Systems, Inc. All rights reserved.
VLAN Map Configuration Steps
1. Create named extended ACLs to identify source traffic
An ‘allow’ address range‘
A ‘block’ address range
The ‘default’ address range (all other traffic)
Identify traffic from specific to general
2. Create VLAN Maps using numbered compound statements
The numbered statements are executed in ascending order
and identify the appropriate action for each address range:
(action forward, action drop)
3. Apply the VLAN Map using a VLAN filter
Identify the VLAN Map name and corresponding VLAN to be filtered.
555© 2003, Cisco Systems, Inc. All rights reserved.
Create named Extended ACLs
Use specific Information for authorized traffic
Allow
Switch(config)#ip access-list extended AllowAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7
host 192.168.100.254 eq www
666© 2003, Cisco Systems, Inc. All rights reserved.
Create named Extended ACLs
Use specific Information for authorized traffic
Allow-----Block
Switch(config)#ip access-list extended AllowAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7
host 192.168.100.254 eq www
Switch(config)#ip access-list extended BlockAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255
host 192.168.100.254 eq www
777© 2003, Cisco Systems, Inc. All rights reserved.
Create named Extended ACLs
• Use specific Information for authorized traffic
• Allow-----Block-----Default
Switch(config)#ip access-list extended AllowAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7
host 192.168.100.254 eq www
Switch(config)#ip access-list extended BlockAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255
host 192.168.100.254 eq www
Switch(config)#ip access-list extended DefaultAcctTraffic
Switch(config-ext-nacl)#permit ip any any
888© 2003, Cisco Systems, Inc. All rights reserved.
Create VLAN Access Map
Switch(config)# vlan access-map AcctTrafficMap 10
Switch(config-access-map)# match ip address AllowAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
999© 2003, Cisco Systems, Inc. All rights reserved.
Create VLAN Access Map
Switch(config)# vlan access-map AcctTrafficMap 10
Switch(config-access-map)# match ip address AllowAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
Switch(config)# vlan access-map AcctTrafficMap 20
Switch(config-access-map)# match ip address BlockAcctTraffic
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
101010© 2003, Cisco Systems, Inc. All rights reserved.
Create VLAN Access Map
Switch(config)# vlan access-map AcctTrafficMap 10
Switch(config-access-map)# match ip address AllowAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
Switch(config)# vlan access-map AcctTrafficMap 20
Switch(config-access-map)# match ip address BlockAcctTraffic
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
Switch(config)# vlan access-map AcctTrafficMap 30
Switch(config-access-map)# match ip address DefaultAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#end
111111© 2003, Cisco Systems, Inc. All rights reserved.
Create VLAN Filter & Apply to correct VLAN
Switch(config)#vlan filter AcctTrafficMap vlan-list 100
To verfiy: show vlan filter
121212© 2003, Cisco Systems, Inc. All rights reserved.
Corresponding parts-AllowNamed ACL & VLAN Map
Allow
Switch(config)#ip access-list extended AllowAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7
host 192.168.100.254 eq www
. . . . .
Switch(config)# vlan access-map AcctTrafficMap 10
Switch(config-access-map)# match ip address AllowAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
. . . . .
Switch(config)#vlan filter AcctTrafficMap vlan-list 100
131313© 2003, Cisco Systems, Inc. All rights reserved.
Corresponding parts-BlockNamed ACL & VLAN Map
Block
Switch(config)#ip access-list extended BlockAcctTraffic
Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7
host 192.168.100.254 eq www
. . . . .
Switch(config)# vlan access-map AcctTrafficMap 20
Switch(config-access-map)# match ip address BlockAcctTraffic
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
. . . . .
Switch(config)#vlan filter AcctTrafficMap vlan-list 100
141414© 2003, Cisco Systems, Inc. All rights reserved.
Corresponding parts-DefaultNamed ACL & VLAN Map
Default
Switch(config)#ip access-list extended DefaultAcctTraffic
Switch(config-ext-nacl)#permit ip any any
. . . . .
Switch(config)# vlan access-map AcctTrafficMap 30
Switch(config-access-map)# match ip address DefaultAcctTraffic
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
. . . . .
Switch(config)#vlan filter AcctTrafficMap vlan-list 100
151515© 2003, Cisco Systems, Inc. All rights reserved.
Verify Configuration---Test Connectivity
To verify configuration, use
show vlan access-map
To test connectivity or blocked connectivity
Add clients with appropriate IP addresses
or use extended ping commands