04-06-2008 06:48 PM - edited 03-05-2019 10:13 PM
I have a question on how this works.
switch(config)#vlan access-map CISCO
<----- This sets the map name to Cisco
switch(config-access-map)#match ip address dog
<------ This sets the map to match the ACL named dog
switch(config-access-map)#action forward
<------ This forwards whatever is matched in the ACL above
switch(config)#vlan filter CISCO vlan-list 10-20
Now I'm not sure what happens. It applies the filter to Vlans 10-20 and does this mean it will only allow traffic that matches the ACL both in and out of the Vlans or just in or just out.
I understand it will drop what it doesn't match but how is it applied?
Can someone post a real world scenario where you would use a vlan map and what it would look like?
Thanks!
04-06-2008 07:17 PM
""Now I'm not sure what happens. It applies the filter to Vlans 10-20 and does this mean it will only allow traffic that matches the ACL both in and out of the Vlans or just in or just out.""
Vlan map has no direction (input or output). In your case whatever traffic matches the ACL named dog in vlans 10-20 would be forwarded. If you want to filter traffic in a specific directon then you need to do that with your access list by specifiying the appropriate source and destination address.
Vlan map, as in ACL, has an implicit deny at the end. Any traffic that doesn't match any of the criteria will be dropped and hence, you may have to create a default action to forward all other traffic.
HTH
Sundar
04-06-2008 07:23 PM
So if I have traffic in Vlan 9 that is trying to connect to a host in vlan 10 it will have to match the vlan map in order to be forwarded into vlan 10?
And if I have traffic in vlan 10 that is trying to get to vlan 9 it will be forwarded if it matches?
What about two hosts inside vlan 10 sending traffic to each other?
The documentation just isn't too clear about what it applies too.
04-07-2008 01:59 PM
The answer to all your questions is YES. For any traffic that's originating from, received in or stays within VLAN 10 if you have a VLAN filter applied and if there's no match then it's automatically dropped by the switch. Hence, as I stated in my previous post, if your goal is drop only certain traffic then add a statement at the end to forward rest of the traffic.
HTH
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide