VLAN ACL

Answered Question
Aug 29th, 2008

Hi,

is it possible to prohibit communication via tcp port 1761 for several servers on a switch? I've never configured a vlan acl, so i have to act very careful in an productive serverfarm. Is it possible to configure a vlan acl on port level? It's undesired to configure an acl on the backbone router.

Tia,

Stephan

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 3 months ago

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Fri, 08/29/2008 - 05:05

VACLs are configured as a VLAN access map, in much the same format as a route map. A VLAN

access map consists of one or more statements, each having a common map name

A VACL can either drop a matching packet, forward it, or redirect it to another interface. The

TCAM performs the entire VACL match and action, as packets are switched or bridged within

a VLAN, or routed into or out of a VLAN.

Finally, you must apply the VACL to a VLAN using the following global configuration

command:

Switch(config)# vlan filter map-name vlan-list vlan-list

For example, suppose that you need to filter traffic within VLAN 99 so that host 192.168.99.17

is not allowed to contact any other host on its local subnet. Access list local-17 is created to

identify traffic between this host and anything else on its local subnet. Then a VLAN access

map is defined: If the local-17 access list permits the IP address, the packet is dropped;

otherwise, the packet is forwarded

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list 99

in ur case make it like

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit tcp host 192.168.99.17 192.168.99.0 0.0.0.255 eq 1761

and so the same idea for any source distination and port

good luck

if helpful Rate

stephan.sieger Fri, 08/29/2008 - 05:11

That means that the entire vlan is affected by the vacl. It's not possible to put it only on one single L2 port i guess. That's not a good solution..:-)

Thanks,

Stephan

Correct Answer
Marwan ALshawi Fri, 08/29/2008 - 05:13

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

Marwan ALshawi Fri, 08/29/2008 - 05:24

by the way dont forget this line in the end i mmean after the deny statments in the VACL

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

this one will permit all other traffic

if u dont put it everthing will be denied unless u permit it

please, if helpful Rate

and good luck :)

Actions

This Discussion