- 论坛徽章:
- 0
|
[B]1:创建一个vlan map[/B]
Step 1 configure terminal
Step 2 vlan access-map name [number] Create a VLAN map, and give it a name and (optionally) a number.
Step 3 action {drop | forward} (Optional) Set the action for the map entry. The default is to forward.
Step 4 match {ip | mac} address {name |number} [name | number]
Match the packet (using either the IP or MAC address) against one or more standard or extended access lists
Step 5 end
[B]注:使用 no vlan access-map name 全局命令删除一个vlan map.[/B]
[B]Example 1[/B]This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any
packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit
any TCP packet and no other packets. Because there is a match clause for IP packets in the VLAN map,
the default action is to drop any IP packet that does not match any of the match clauses.
[B]Switch(config)# ip access-list extended ip1
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map_1 10
Switch(config-access-map)# match ip address ip1
Switch(config-access-map)# action drop[/B]
[B]Example 2[/B]
This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and
any packets that match the ip2 ACL are forwarded.
[B]Switch(config)# ip access-list extended ip2
Switch(config-ext-nacl)# permit udp any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map_1 20
Switch(config-access-map)# match ip address ip2
Switch(config-access-map)# action forward[/B]
[B]Example 3[/B]
In this example, the VLAN map has a default action of drop for MAC packets and a default action of
forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map
will have the following results:
? Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
? Forward MAC packets with decnet-iv or vines-ip protocols
? Drop all other non-IP packets
? Forward all IP packets
[B]Switch(config)# mac access-list extended good-hosts
Switch(config-ext-macl)# permit host 000.0c00.0111 any
Switch(config-ext-macl)# permit host 000.0c00.0211 any
Switch(config-ext-nacl)# exit
Switch(config)# mac access-list extended good-protocols
Switch(config-ext-macl)# permit any any decnet-ip
Switch(config-ext-macl)# permit any any vines-ip
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map drop-mac-default 10
Switch(config-access-map)# match mac address good-hosts
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-mac-default 20
Switch(config-access-map)# match mac address good-protocols
Switch(config-access-map)# action forward[/B]
=====================================================
[B]2:将vlan map 指定到一个vlan 上[/B]
Step 1 configure terminal Step 2 vlan filter mapname vlan-list lis
t Apply the VLAN map to one or more VLAN IDs.
The list can be a single VLAN ID (22), a consecutive list (10-22), or a string
of VLAN IDs (12, 22, 30). Spaces around the comma and hyphen are
optional.
To remove the VLAN map, use the no vlan filter mapname vlan-list list global configuration command.
[B]Example 1[/B]
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on
Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34)
at Switch A and not bridge it to Switch B.
[B]1[/B],define the IP access list http that permits (matches) any TCP traffic on the HTTP port.
[B]Switch(config)# ip access-list extended http
Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www
Switch(config-ext-nacl)# exit[/B]
[B]2[/B] create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded.
[B]Switch(config)# vlan access-map map2 10
Switch(config-access-map)# match ip address http
Switch(config-access-map)# a
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/33070/showart_318577.html |
|