1 / 15

VLAN Maps

VLAN Maps.

heppner
Download Presentation

VLAN Maps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VLAN Maps

  2. The steps involved in implementing VLAN access lists:1. Define VLAN Access Map. To define a VLAN access-map use the command:Switch(config)# vlan access-map <map-name) [sequence-number].Access map statements are performed according to the sequence number.2. Define matching conditions to identify traffic to be filtered. Use the access-map configuration command:Switch(config-access-map)# match {ip address {acl-address {<acl-number> |<acl name>}} | {mac address <acl-name>}3. Define the action to be performed on the filtered traffic. Use the command:Switch(config-access-map)# action {drop | forward [capture] | redirect <interface type> <mod>/<num>}4. Apply the VACL to a VLAN interface. Use the global configuration command:Switch(config)# vlan filter <map-name> vlan-list <list-of-vlans-here>

  3. Scenario Fa0/3 Fa0/1 • Build and configure network • Create VLAN 100 on switch. • Client pool of addresses 192.168.100.1-192.168.100.254 • Allow Accounting Supervisors (Hosts 192.168.100.9-15/24) to reach the Accounting Server (192.168.100.254) • Block all other clients in the designated pool from reaching the server • Allow ALL other clients outside of the designated pool to reach the server 192.168.100.9/24 192.168.100.254/24

  4. VLAN Map Configuration Steps • Create named extended ACLs to identify source traffic An ‘allow’ address range‘ A ‘block’ address range The ‘default’ address range (all other traffic) Identify traffic from specific to general • Create VLAN Maps using numbered compound statements The numbered statements are executed in ascending order and identify the appropriate action for each address range: (action forward, action drop) 3. Apply the VLAN Map using a VLAN filter Identify the VLAN Map name and corresponding VLAN to be filtered.

  5. Create named Extended ACLs Use specific Information for authorized traffic Allow Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www

  6. Create named Extended ACLs Use specific Information for authorized traffic Allow-----Block Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www Switch(config)#ip access-list extended BlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq www

  7. Create named Extended ACLs • Use specific Information for authorized traffic • Allow-----Block-----Default Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www Switch(config)#ip access-list extended BlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq www Switch(config)#ip access-list extended DefaultAcctTraffic Switch(config-ext-nacl)#permit ip any any

  8. Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit

  9. Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip address BlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit

  10. Create VLAN Access Map Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip address BlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit Switch(config)# vlan access-map AcctTrafficMap 30 Switch(config-access-map)# match ip address DefaultAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#end

  11. Create VLAN Filter & Apply to correct VLAN Switch(config)#vlan filter AcctTrafficMap vlan-list 100 To verfiy: show vlan filter

  12. Corresponding parts-AllowNamed ACL & VLAN Map Allow Switch(config)#ip access-list extended AllowAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www . . . . . Switch(config)# vlan access-map AcctTrafficMap 10 Switch(config-access-map)# match ip address AllowAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100

  13. Corresponding parts-BlockNamed ACL & VLAN Map Block Switch(config)#ip access-list extendedBlockAcctTraffic Switch(config-ext-nacl)#permit tcp 192.168.100.8 0.0.0.7 host 192.168.100.254 eq www . . . . . Switch(config)# vlan access-map AcctTrafficMap 20 Switch(config-access-map)# match ip addressBlockAcctTraffic Switch(config-access-map)#action drop Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100

  14. Corresponding parts-DefaultNamed ACL & VLAN Map Default Switch(config)#ip access-list extendedDefaultAcctTraffic Switch(config-ext-nacl)#permit ip any any . . . . . Switch(config)# vlan access-map AcctTrafficMap 30 Switch(config-access-map)# match ip addressDefaultAcctTraffic Switch(config-access-map)#action forward Switch(config-access-map)#exit . . . . . Switch(config)#vlan filter AcctTrafficMap vlan-list 100

  15. Verify Configuration---Test Connectivity To verify configuration, use show vlan access-map To test connectivity or blocked connectivity Add clients with appropriate IP addresses or use extended ping commands

More Related