■検証1：VACLでvlan101に対するTCPアクセスのみを拒否する
　　　 ⇒Linux端末にtelnet接続をする
　　　 ⇒Linux端末にping(ICMP)をする
　　　 ⇒vlan filter map-vlan vlan 101を投入(2投目)
　　　 ⇒Linux端末にtelnet接続不可となる
　　　 ⇒Linux端末へのping(ICMP)は拒否されない

■DSW3_3560投入コンフィグ(1投目)
conf t
!
ip routing
!
vlan 101
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
switchport mode access
switchport access vlan 101
no shut
!
int fa0/2
switchport mode access
switchport access vlan 101
no shut
!
int fa0/3
no switchport
ip address 192.168.0.1 255.255.255.0
no shut
!
int vlan 101
ip address 172.16.101.1 255.255.255.0
no shut
exit
!
ip access-list extended tcp-deny
permit tcp host 172.16.101.200 host 172.16.101.100
permit tcp 192.168.0.0 0.0.0.255 host 172.16.101.100
exit
!
vlan access-map map-vlan 10
match ip address tcp-deny
action drop
exit
!
vlan access-map map-vlan 20
action forward
exit
!
end

■1投目を投入後にはLinux端末にtelnetでアクセスできた。

■DSW3_3560投入コンフィグ(2投目)
conf t
!
vlan filter map-vlan vlan 101
!
end

■2投目を投入後にはLinux端末にtelnetでアクセスが不可となった。

DSW3_3560#sh ip access-lists tcp-deny
Extended IP access list tcp-deny
10 permit tcp host 172.16.101.200 host 172.16.101.100
20 permit tcp 192.168.0.0 0.0.0.255 host 172.16.101.100

DSW3_3560#sh vlan access-map
Vlan access-map "map-vlan" 10
Match clauses:
ip address: tcp-deny
Action:
drop
Vlan access-map "map-vlan" 20
Match clauses:
Action:
forward

DSW3_3560#sh vlan filter
VLAN Map map-vlan is filtering VLANs:
101