Solved: VACL help

anowell · ‎08-30-2007

I am trying to stop users within a certin VLAN (VLAN20) from ?chatting? with other users within the same VLAN. The users are in the 10.x.24.x range. This VACL will be applied to a 3750 and 4500. Is the below all I?ll need to accomplish this?

ip access-list extended secure-workstation-traffic

permit ip 10.0.24.1 0.255.0.0 any

deny ip 10.0.24.0 0.255.7.255 10.0.24.0 0.255.7.255

permit ip any any

vlan access-map secure-workstation-traffic 10

action forward

match ip address secure-workstation-traffic

vlan filter secure-workstation-traffic vlan-list 20

b.julin · ‎08-31-2007

I usually like to place explicit drop and forward statements in there just for readability. But yes that should work just so long as you don't have any port ACLs applied.

Be careful when mixing port based ACLs and VACLs. The behavior is platform-specific. What works on say a 3550 will probably not work on a 3750 or 6500.

Also on some platforms you really have to hunt through the cli to find stats on dropped packets, and often it won't tell you rule by rule or even which access map is dropping packets.

View solution in original post

b.julin · ‎08-31-2007

I usually like to place explicit drop and forward statements in there just for readability. But yes that should work just so long as you don't have any port ACLs applied.

Be careful when mixing port based ACLs and VACLs. The behavior is platform-specific. What works on say a 3550 will probably not work on a 3750 or 6500.

Also on some platforms you really have to hunt through the cli to find stats on dropped packets, and often it won't tell you rule by rule or even which access map is dropping packets.