Blocking Host to Host communication in same VLAN?

Answered Question
Jun 3rd, 2009
User Badges:

Hi experts,


i have one problem here, i just want to know is it possible to block host to host communication in same vlan via the switches ACL controlled.


I found a cisco document but not working.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml


Many thanks



Correct Answer by dario.didio about 7 years 11 months ago

Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.


Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.


mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0


HTH,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dario.didio Thu, 06/04/2009 - 00:32
User Badges:
  • Silver, 250 points or more

Hi,


this is possible and should work.


Can you post your config?

What model of switch are you using?


Tnx,

Dario

frankie_sky Thu, 06/04/2009 - 00:54
User Badges:

Cisco 3750 as distribution switch software version: c3750-ipservicesk9-mz.122-25.SEB4.bin


Cisco 3560 as access switch


this is my config. I configured in both distributor & access switch also.


mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe 0x806 0x0


vlan access-map block 10

action drop

match mac address test

vlan access-map block 20

action forward

vlan filter block vlan-list 39


distribution switch configuration.

interface Vlan39

ip address 172.30.2.131 255.255.255.128

ip access-group 101 in

ip helper-address 172.30.4.73

ip helper-address 172.30.4.10

ip mask-reply

no ip redirects

standby ip 172.30.2.129

standby preempt

end



Correct Answer
dario.didio Thu, 06/04/2009 - 01:10
User Badges:
  • Silver, 250 points or more

Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.


Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.


mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0


HTH,

Dario

frankie_sky Thu, 06/04/2009 - 03:34
User Badges:

Hi Dario,


It works now after i put the reverse entry. many thanks for your help.


Frankie

dario.didio Thu, 06/04/2009 - 03:41
User Badges:
  • Silver, 250 points or more

Hi,


could you plz use the rating system if my response was helpful for you?


Thanks,

Dario

lamav Thu, 06/04/2009 - 04:07
User Badges:
  • Blue, 1500 points or more

Good morning, Dario:


Why would he have to create a reverse entry? I know he says it worked now, but I dont know how he is testing it.


His objective, he says, is to eliminate communication between 2 hosts. So if host A is blocked from talking to host B, but the reverse is not true, it shouldnt make a difference, it seems, because the host just wont respond. You will have unidirectional (attempts at) communications.


No?


Victor

carl_townshend Thu, 06/04/2009 - 05:14
User Badges:

hi there


when doing this do you need to apply it to a vlan?

OR do you just do it in global config and thats it?


please confirm!


Carl

dario.didio Thu, 06/04/2009 - 05:23
User Badges:
  • Silver, 250 points or more

Hi,


it is done in global config using following command:


vlan filter block vlan-list 39


vlan filter "VACL name" vlan-list "list of VLANs where it should be applied to"


HTH,

Dario

dario.didio Thu, 06/04/2009 - 05:21
User Badges:
  • Silver, 250 points or more

Hi,


you are absolutely correct that if he wants to prevent 2 hosts from talking to eachother, a single entry in the ACL would be sufficient.


In this situation you would get a traffic flow like this:


host A ------ switch ------- host B


Imagine that the ACL blocks traffic from MAC A to MAC B. This would mean that if host a sends a frame to host B, it is blocked on the switch and thus never reaches host B.

Now if host B sends a frame to host A, it would be switched to host A, and the response from host A would be blocked on the switch.

This would mean that host A needs to treath the incoming data, process it and respond to it, which is eventually blocked by the switch, meaning that this causes unnecesary overhead on host A.


If the ACL is configured to block in both directions, the hosts never receive any traffic from each other, preventing this unneccesary overhead.


That is why I think it is more clean to block traffic in both ways.


Hope you can follow my thinking :-)


If you don't agree or have any other remakrs, I would be glad to here them!


Kr,

Dario

carl_townshend Thu, 06/04/2009 - 05:50
User Badges:

hi there

can you please give me the full commands in order to set the above up?


cheers


Carl

dario.didio Thu, 06/04/2009 - 05:57
User Badges:
  • Silver, 250 points or more

Hi,


like stated above by Frankie, this is the config needed to apply a VLAN filter:


!ACL to filter MAC addresses of hosts that should be prevented from communicating

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe


!VACL to forward or deny certain traffic

vlan access-map block 10

action drop

match mac address test


vlan access-map block 20

action forward


!filter to apply VACL on VLANs needed

vlan filter block vlan-list 39


HTH,

Dario

lamav Thu, 06/04/2009 - 17:40
User Badges:
  • Blue, 1500 points or more

Hey, Dario:


What youre saying makes perfect sense and I follow you.


Just wanted your thoughts is all...


Thanks :-)

carl_townshend Fri, 06/05/2009 - 06:21
User Badges:

Hi There

from reading some cisco data


it says all i need to do is type



mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0


can I then just apply this mac access list to a vlan ?

dario.didio Fri, 06/05/2009 - 06:44
User Badges:
  • Silver, 250 points or more

Hi,


If you want to filter traffic inside a VLAN, than you need to use a VLAN map and a VLAN filter.


Your mac ACL is just a part of this. In this ACL you specify the traffic that needs to be matched (this ACL will match traffic between the two specified hosts).


When you've created you ACL (when you matched your traffic) you create a VLAN map.


!create VLAN map "L2-filter"

!use ACL "test" to match traffic that should be dropped

vlan access-map L2-filter 10

action drop

match mac address test

!all other traffic is forwared

vlan access-map L2-filter 20

action forward


Once your VLAN map is done, you need to apply it to a VLAN


!use VLAN map "L2-filter" in VLAN 10

vlan filter L2-filter vlan-list 10


HTH,

Dario




Actions

This Discussion