Catalyst QoS: VLAN Access-map for IP traffic filtering

September 12, 2008 at 3:31 pm | Posted in QoS, Switching | Leave a comment

Task: Configuring VLAN access-map to only allow Telnet and Ping and routing (OSPF) traffic within VLAN145.

If the default action of the VLAN access-map is dropping, then we need to explicitly permit ARP frames as well, otherwise, two PC hosts within the VLAN145 won’t be able to ARP for each other MAC address, and the connectivity between them will fail.

Configuration

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit ospf any any

!
mac access-list extended ARP
 permit any any 0x806 0x0
!
vlan access-map VLAN145_FILTER 10
 action forward
 match ip address 100
vlan access-map VLAN145_FILTER 15
 action forward
 match mac address ARP
vlan access-map VLAN145_FILTER 20
 action drop
!
vlan filter VLAN145_FILTER vlan-list 145
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: