This example will match all TCP traffic in VLANs 20-22 and drop it:
Switch(config)# ip access-list extended ip1 Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map VLANmap1 10 Switch(config-access-map)# match ip address ip1 Switch(config-access-map)# action drop Switch(config)# vlan filter VLANmap1 vlan-list 20-22
A nice feature of the VLAN map is that you don抰 have to necessarily have the switch acting as a Layer 3 device. Let抯 say that you have 3 Catalyst 3550 Series switches in your network. You only want one of these switches acting as your Layer 3 搑outer,?and you want your other 2 switches simply acting as intelligent layer 2 devices. You can configure VLAN maps on your Layer 2 switches to forward or drop certain traffic and filter this at the ingress point. For example, let抯 say you have a PC hanging off of each layer 2 switch (PC 1 and PC 2), each of these switches (Switch X and Y) are connected to the switch acting as the router (Switch Z). Let抯 continue in our imaginary network and say that PC 1 is connected to Switch X, and PC 2 is connected to Switch Y. Let抯 also say that we do not want PC 1 to access HTTP information on PC 2. How can we accomplish this with layer 2? By using VLAN Maps! You can configure something similar to this:
Switch(config)# ip access-list extended match_all Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map2 10 Switch(config-access-map)# match ip address http Switch(config-access-map)# action drop Switch(config-access-map)# exit
Switch(config)# vlan access-map map2 20 Switch(config-access-map)# match ip address match_all Switch(config-access-map)# action forward
Switch(config)# vlan filter map2 vlan 1
This will kill HTTP traffic from PC1 to PC2 at Switch X, therefore reducing bandwidth, and unnecessary processor utilization at Switch Z (router). This traffic will just not get bridged to the forwarding engine.
If you wanted to accomplish this with a Router ACL you would have to enable IP routing on your Switches X and Y.
精品推荐