cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
0
Helpful
10
Replies

ip standard list, vacl and vlan 1

sarahr202
Level 5
Level 5

Hi every body!

Please consider the following scenario:

router----------sw(L2)----vlan 1

vlan 1 is using 172.172.0.0/16

If i use the vlan access list on "sw" denying any traffic from 172.172.0.0, will hosts in vlan 1 be able to ping router?

2) can standard and extended access list be applied to svi?

thanks a lot!

5 Accepted Solutions

Accepted Solutions

lejoe.thomas
Level 3
Level 3

Hi Sarah,

If the router is on a different subnet than VLAN 1, then the ACL applied under SVI for VLAN 1 to deny traffic from the major network will deny VLAN 1 from pinging the router.

However if the Router is in VLAN 1 the ACL will obviously have no effect.

2) can standard and extended access list be applied to svi?

Yes both are possible.

HTH

Lejoe

View solution in original post

Hi Sarah,

Yes a VACL can filter traffic between hosts in the same VLAN, from a configuration point of view called VLAN access MAP.

I was thinking a normal ACL applied under the SVI.

HTH

Lejoe

View solution in original post

Hi Sarah,

Pick the switch that is close to the source, you would like to deny traffic from. It's always best to deny close to the source.

If you have a specific example, post it and I could provide sample config.

Lejoe

View solution in original post

Sarah,

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It should only deny traffic between H1 and SW1, i.e H1 should be able to communicate with other hosts in VLAN 1.

Lejoe

View solution in original post

Sarah,

Yes ofcourse, since this is applied on Sw2 and H1,H2 exists on SW1, they both can communicate.

With the above VLAN-access map, H1 cannot access any other hosts in VLAN 1 on SW2 (including S1).

Lejoe

View solution in original post

10 Replies 10

lejoe.thomas
Level 3
Level 3

Hi Sarah,

If the router is on a different subnet than VLAN 1, then the ACL applied under SVI for VLAN 1 to deny traffic from the major network will deny VLAN 1 from pinging the router.

However if the Router is in VLAN 1 the ACL will obviously have no effect.

2) can standard and extended access list be applied to svi?

Yes both are possible.

HTH

Lejoe

Thanks Lejoe!

The book says" VACL" is used to deny or permit traffic within a vlan. Let say we have a layer 2 switch "sw" .sw has vlan 1 (1.1.1.0/24). That same switch is connected to default gateway(1.1.1.2)

Host1 is in vlan 1(1.1.1.3). Now we configure the VACL on sw to deny any traffic from 1.1.1.0/24.

Host 1 wants to ping gateway, Based on book, this ping would not be successful because vacl at switch will deny the traffic from any host within 1.1.0.0/16 subnet.

Is my concept correct?

One more question if you don't mind.

sw1----------sw2

both are connected by trunk. Both are layer 2 switch. Both have vlan 1. Now if i have to use vacl to block some host in vlan 1 from reaching some other hosts in vlan, where will this vacl be configured? sw1 or sw2 or both?

Thanks a lot!

Hi Sarah,

Yes a VACL can filter traffic between hosts in the same VLAN, from a configuration point of view called VLAN access MAP.

I was thinking a normal ACL applied under the SVI.

HTH

Lejoe

Thanks for your reply Lejoe!

Could you please help me with following:

sw1------sw2 (both are l2 switches, each with one vlan ,vlan 1)

If i have to configure vacl, which switch i have to use? can i configure it on any switch or both switches?

Thanks a lot!

Hi Sarah,

Pick the switch that is close to the source, you would like to deny traffic from. It's always best to deny close to the source.

If you have a specific example, post it and I could provide sample config.

Lejoe

I was trying to solve the book problem Which requires block the traffic from certain ip block.

I was thinking If i could use the standard access list and deny the traffic from the particular block. But i can also use VACL to get the same result.

Thanks Lejoe!

Hi Lejoe!

Based on your reply, i have one questions.

Let say two switches sw1 and sw2 have only one vlan, vlan 1.

Vlan 1 is mapped to 192.192.192.0/24

one host h1 has 192.192.192.1, connected to sw1.Another host h2 192.192.192.3 is also connected to sw1

one server has ip 192.192.192.2 ,connected to sw2

It is required no traffic from h1 should be able to reach server.

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It means vacl should be used on sw2 which has server connected to it.

My reasoning is based on if i configure vacl on sw2 , there is no way switch sw1 knows about it, thus vacl is locally significant. With vacl configured on sw2, when sw1 receives the frame from h1, it will forwards it out of port connected to sw2. When sw2 receives the frame from h1, it checks against vacl and drops the frame.

What do you think?

Thanks a lot!

Sarah,

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It should only deny traffic between H1 and SW1, i.e H1 should be able to communicate with other hosts in VLAN 1.

Lejoe

Thanks for your reply.

please consider the following scenario:

sw1----------sw2

h1 199.199.199.1

h2 199.199.199.2

s1(server) 199.199.199.3

h1,h2 are connected to sw1 and s1 is connected to sw2.

sw1 and sw2 have one vlan1

It is required to h1 should not communicate with s1.

I understand i can use extended access list to deny traffic between h1 and s1 using vacl.

I just want to know if I configure:

sw2

access-list 10 permit host 192.192.192.1

vlan access-map zee 20

match ip address 10

action drop

vlan acess-map zee 30

action forward.

vlan filter zee vlan-list 1

Will h1 be able to communicate with h2?

My hunch it should because h1 frame is not forwarded to sw2 where the vacl exits.

Thanks a lot!

Sarah,

Yes ofcourse, since this is applied on Sw2 and H1,H2 exists on SW1, they both can communicate.

With the above VLAN-access map, H1 cannot access any other hosts in VLAN 1 on SW2 (including S1).

Lejoe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: