Things to keep in mind when configuring a VLAN Map:
If there is no router ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted.
Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A packet that comes into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map.
If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
The system might take longer to boot if you have configured a very large number of ACLs.
When a switch has an IP access list or MAC access list applied to a Layer 2 interface, you can create VLAN maps, but you cannot apply a VLAN map to any of the switch VLANs. An error message is generated if you attempt to do so.
VLAN Maps are similar to Route map configuration. You first have to create an ACL, and then in your VLAN map apply this ACL, while still in VLAN-map configuration mode you have to decide on an action to perform on the matched traffic (drop, forward). Traffic is compared sequentially to the VLAN Map, once a match is made no further comparisons are performed.
This example will match all TCP traffic in VLANs 20-22 and drop it:
Switch(config)# ip access-list extended ip1 Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map VLANmap1 10 Switch(config-access-map)# match ip address ip1 Switch(config-access-map)# action drop Switch(config)# vlan filter VLANmap1 vlan-list 20-22
精品推荐