08-30-2007 11:49 AM - edited 03-05-2019 06:12 PM
I am trying to stop users within a certin VLAN (VLAN20) from ?chatting? with other users within the same VLAN. The users are in the 10.x.24.x range. This VACL will be applied to a 3750 and 4500. Is the below all I?ll need to accomplish this?
ip access-list extended secure-workstation-traffic
permit ip 10.0.24.1 0.255.0.0 any
deny ip 10.0.24.0 0.255.7.255 10.0.24.0 0.255.7.255
permit ip any any
vlan access-map secure-workstation-traffic 10
action forward
match ip address secure-workstation-traffic
vlan filter secure-workstation-traffic vlan-list 20
Solved! Go to Solution.
08-31-2007 12:46 PM
I usually like to place explicit drop and forward statements in there just for readability. But yes that should work just so long as you don't have any port ACLs applied.
Be careful when mixing port based ACLs and VACLs. The behavior is platform-specific. What works on say a 3550 will probably not work on a 3750 or 6500.
Also on some platforms you really have to hunt through the cli to find stats on dropped packets, and often it won't tell you rule by rule or even which access map is dropping packets.
08-31-2007 12:46 PM
I usually like to place explicit drop and forward statements in there just for readability. But yes that should work just so long as you don't have any port ACLs applied.
Be careful when mixing port based ACLs and VACLs. The behavior is platform-specific. What works on say a 3550 will probably not work on a 3750 or 6500.
Also on some platforms you really have to hunt through the cli to find stats on dropped packets, and often it won't tell you rule by rule or even which access map is dropping packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide