wiki:site:cisco:vlan-acl
VLAN Access Lists
VACL = Vlan Access Control List, Catalyst sw. dokáží pomocí VACL filtrovat provoz v rámci VLANy
Na rozdíl od klasického ACL se neaplikuje na interface, ale na VLANu jako celek
- Switch(config)# vlan access-map map-name [sequence-number]
- Switch(config-access-map)# match ip address {acl-number | acl-name}
- Switch(config-access-map)# match ipx address {acl-number | acl-name}
- Switch(config-access-map)# match mac address acl-name
- Switch(config-access-map)# action {drop | forward [capture] | redirect type mod/num}
- Switch(config)# vlan filter map-name vlan-list vlan-list
Příklad, host 192.168.99.17 nesmí kontaktovat nikoho v jeho subnetu a ve VLAN99:
Switch(config)# ip access-list extended local-17 Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255 Switch(config-acl)# exit Switch(config)# vlan access-map block-17 10 Switch(config-access-map)# match ip address local-17 Switch(config-access-map)# action drop Switch(config-access-map)# vlan access-map block-17 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan filter block-17 vlan-list 99
wiki/site/cisco/vlan-acl.txt · Last modified: 2018/01/23 09:43 by root
