■
Permit all IP traffic from subnet 10.101.0.0 to host 10.101.1.1.
■
Permit ICMP echo request from all hosts.
■
Permit ICMP echo reply from all hosts.
■
Deny all other ICMP traffic.
■
Permit all TCP traffic.
■
Deny all UDP traffic not previously specified.
■
Permit all other IP traffic.
You want to apply this list to VLAN 101 on the switch. An example of configuration fol-
lows:
Switch(config)# ip access-list extended ip_subnet2host
Switch(config-ext-acl)# permit ip 10.101.0.0 0.0.255.255 host 10.101.1.1
Switch(config)# ip access-list extended ping
Switch(config-ext-acl)# permit icmp any any echo
Switch(config-ext-acl)# permit icmp any any echo-reply
Switch(config-ext-acl)# exit
Switch(config)# ip access-list extended_icmp
Switch(config-ext-acl)# permit icmp any any
Switch(config-ext-acl)# exit
Switch(config)# ip access-list extended_tcp
Switch(config-ext-acl)# permit tcp any any
Switch(config-ext-acl)# exit
Switch(config)# ip access-list extended_udp
Switch(config-ext-acl)# permit udp any any
Switch(config-ext-acl)# exit
Switch(config)# vlan access-map watchlist
Switch(config-access-map)# match ip address ip_subnet2host
Switch(config-access-map)# action forward
Switch(config-access-map)# vlan access-map watchlist 10
Switch(config-access-map)# match ip address ping
Switch(config-access-map)# action forward
Switch(config-access-map)# vlan access-map watchlist 20
Switch(config-access-map)# match ip address ip_icmp
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map watchlist 30
Switch(config-access-map)# match ip address ip_tcp
Switch(config-access-map)# action forward
Switch(config-access-map)# vlan access-map watchlist 40
Switch(config-access-map)# match ip address ip_udp
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map watchlist 50
Chapter 11: Controlling Traffic and Switch Access 179