VLAN Maps are used to filter or redirect traffic in a VLAN, giving you more granular control over the traffic.
Steps to Configuring a VLAN Map
- Determine what you want to accomplish : It is vital to know what you want to achieve prior the configuration. This will save you lots of headaches in the actual implementation.
- Write an Access List : What kind of access list you will use depends on what you want to do. The most common is the IP Access List. Of course, if you want to match just the source IP address, a Standard Access List is sufficient. However, for protocol filtering an Extended Access List is needed. Keep in mind that an access list permits the traffic you want to manipulate.
- Create a VLAN Map: This is where you will use your access list to match the traffic you want to handle, and set actions for that traffic. Keep in mind that the VLAN Map works similar with route maps and access lists. By default it discards traffic that has no match, so be sure to allow the traffic that needs to traverse your VLAN.
- Apply the VLAN Map to a VLAN: Here you can apply your VLAN Map to one or a list of VLANs. The VLAN Map will not work unless applied to a VLAN.
Your Company policy states that telnet traffic should not be allowed on VLAN 10 for security purposes, but all other traffic should be allowed.
This is where you get to configure a VLAN map to meet the requirements:
(step 1) Objectives: Telnet traffic should be restricted for all hosts in VLAN 10.
We will need an extended access list to match telnet traffic.
A VLAN map name will also be required: It will be named "NO_TELNET"
Next we must ensure that other traffic will be allowed.
Lastly, we will apply our VLAN map to VLAN 10 (step 2) Implementation: SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filterSwitchABC(config)#vlan access-map NO_TELNET 10// we have created the VLAN mapSwitchABC(config-access-map)#match ip address 101// we are using the access list we created beforeSwitchABC(config-access-map)#action drop// anything that matches the access list will be dropped SwitchABC(config-access-map)#vlan access-map NO_TELNET 20SwitchABC(config-access-map)#action forward// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.SwitchABC(config-access-map)#exitSwitchABC(config)#vlan filter NO_TELNET vlan-list 10// now we have applied the VLAN map to the VLAN 10 and our job is done :)