Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesCisco BLp-Class Ethernet Switch

501

502

503

504

505

506

507

508

509

510

26-28

Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide

380261-003

Chapter 26 Configuring Network Security with ACLs

Configuring VLAN Maps

Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all

other IP traffic is forwarded.

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address http

Switch(config-access-map)# action drop

Switch(config-access-map)# exit

Switch(config)# ip access-list extended match_all

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address match_all

Switch(config-access-map)# action forward

Then, apply VLAN access map map2 to VLAN 1.

Switch(config)# vlan filter map2 vlan 1

Denying Access to a Server on a VLAN

You can restrict access to a server on a VLAN. For example, server 10.1.1.100 in VLAN 10 needs to

have access denied to hosts 10.1.1.4 and 10.1.1.8 (see Figure 26-4):

Figure 26-4 Deny Access to a Server on a VLAN

This example shows how to deny access to a server on another VLAN by creating the VLAN map

SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits

other IP traffic. The final step is to apply the map SERVER1 to VLAN 10.

Step 1 Define the IP ACL that will match the correct packets.

Switch(config)# ip access-list extended SERVER1_ACL

Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100

Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100

Switch(config-ext-nacl))# exit

Step 2 Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward

IP packets that do not match the ACL.

Switch(config)# vlan access-map SERVER1_MAP

Switch(config-access-map)# match ip address SERVER1_ACL

Switch(config-access-map)# action drop

Layer 2 switch

Host (VLAN 10)

Blade Server

(VLAN 10)

126706

VLAN map

10.1.1.100

10.1.1.4

10.1.1.8

Packet