Monday, 15 October 2012

Vlan Maps

Using Vlan Maps

Vlan Maps are used to filter or redirect traffic in a Vlan , giving you more granular control over the traffic . 


Steps needed to configure a Vlan Map

  1. Determine what do you want to accomplish : It is vital to know what do you want to achieve prior the configuration , that can save you lots of headaches in the actual implementation. 
  2.  Write an access list : What kind of access list you will use it depends on what do you want to do. The most common are the Ip access lists , if you want to match just the source ip address a standard access list is sufficient , for protocol filtering use an extended access list. Keep in mind that the access list permits the traffic you want to manipulate.
  3. Create a Vlan Map : This is where you will use your access list to match the traffic you want to handle , and set an action for that traffic. Keep in mind that the Vlan Map works similar with route maps and access lists , by default it discards traffic that has not match so be sure to allow the traffic that needs to traverse your vlan.
  4. Apply the Vlan Map to a Vlan : Here you can apply your Vlan Map to one or a list of vlans . The Vlan Map will not work unless applied to a vlan.


Scenario

Your Company policy states that telnet traffic should not be allowed on vlan 10 for security purposes , all other traffic should be allowed.

Here you get to configure a vlan map to meet the requirements :


(step 1) Objectives : telnet traffic should be restricted for all hosts in vlan 10.
so we need an extended access list to match telnet traffic
a vlan map name : we will name it "NO_TELNET
we must ensure that other traffic will be allowed 
we will apply our vlan map to vlan 10

(step 2) Implementation : 

SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filter
SwitchABC(config)#vlan access-map NO_TELNET 10
// we have created the vlan map
SwitchABC(config-access-map)#match ip address 101
// we are using the access list we created before
SwitchABC(config-access-map)#action drop
// anything that matches the access list will be dropped 
SwitchABC(config-access-map)#vlan access-map NO_TELNET  20
SwitchABC(config-access-map)#action forward
// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.
SwitchABC(config-access-map)#exit
SwitchABC(config)#vlan filter NO_TELNET vlan-list 10
// now we have applied the vlan map to the vlan 10. And our job is done :)
 
 


No comments:

Post a Comment