■
■検証1:VACLでvlan101に対するTCPアクセスのみを拒否する
⇒Linux端末にtelnet接続をする
⇒Linux端末にping(ICMP)をする
⇒vlan filter map-vlan vlan 101を投入(2投目)
⇒Linux端末にtelnet接続不可となる
⇒Linux端末へのping(ICMP)は拒否されない
■DSW3_3560投入コンフィグ(1投目)
conf t
!
ip routing
!
vlan 101
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
switchport mode access
switchport access vlan 101
no shut
!
int fa0/2
switchport mode access
switchport access vlan 101
no shut
!
int fa0/3
no switchport
ip address 192.168.0.1 255.255.255.0
no shut
!
int vlan 101
ip address 172.16.101.1 255.255.255.0
no shut
exit
!
ip access-list extended tcp-deny
permit tcp host 172.16.101.200 host 172.16.101.100
permit tcp 192.168.0.0 0.0.0.255 host 172.16.101.100
exit
!
vlan access-map map-vlan 10
match ip address tcp-deny
action drop
exit
!
vlan access-map map-vlan 20
action forward
exit
!
end
■1投目を投入後にはLinux端末にtelnetでアクセスできた。
■DSW3_3560投入コンフィグ(2投目)
conf t
!
vlan filter map-vlan vlan 101
!
end
■2投目を投入後にはLinux端末にtelnetでアクセスが不可となった。
DSW3_3560#sh ip access-lists tcp-deny
Extended IP access list tcp-deny
10 permit tcp host 172.16.101.200 host 172.16.101.100
20 permit tcp 192.168.0.0 0.0.0.255 host 172.16.101.100
DSW3_3560#sh vlan access-map
Vlan access-map "map-vlan" 10
Match clauses:
ip address: tcp-deny
Action:
drop
Vlan access-map "map-vlan" 20
Match clauses:
Action:
forward
DSW3_3560#sh vlan filter
VLAN Map map-vlan is filtering VLANs:
101