Blocking Host to Host communication in same VLAN?

Answered Question
Jun 3rd, 2009

Hi experts,

i have one problem here, i just want to know is it possible to block host to host communication in same vlan via the switches ACL controlled.

I found a cisco document but not working.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Many thanks

I have this problem too.
0 votes
Correct Answer by dario.didio about 7 years 7 months ago

Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.

Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0

HTH,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Thu, 06/04/2009 - 00:32

Hi,

this is possible and should work.

Can you post your config?

What model of switch are you using?

Tnx,

Dario

frankie_sky Thu, 06/04/2009 - 00:54

Cisco 3750 as distribution switch software version: c3750-ipservicesk9-mz.122-25.SEB4.bin

Cisco 3560 as access switch

this is my config. I configured in both distributor & access switch also.

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe 0x806 0x0

vlan access-map block 10

action drop

match mac address test

vlan access-map block 20

action forward

vlan filter block vlan-list 39

distribution switch configuration.

interface Vlan39

ip address 172.30.2.131 255.255.255.128

ip access-group 101 in

ip helper-address 172.30.4.73

ip helper-address 172.30.4.10

ip mask-reply

no ip redirects

standby ip 172.30.2.129

standby preempt

end

Correct Answer
dario.didio Thu, 06/04/2009 - 01:10

Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.

Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0

HTH,

Dario

frankie_sky Thu, 06/04/2009 - 03:34

Hi Dario,

It works now after i put the reverse entry. many thanks for your help.

Frankie

dario.didio Thu, 06/04/2009 - 03:41

Hi,

could you plz use the rating system if my response was helpful for you?

Thanks,

Dario

lamav Thu, 06/04/2009 - 04:07

Good morning, Dario:

Why would he have to create a reverse entry? I know he says it worked now, but I dont know how he is testing it.

His objective, he says, is to eliminate communication between 2 hosts. So if host A is blocked from talking to host B, but the reverse is not true, it shouldnt make a difference, it seems, because the host just wont respond. You will have unidirectional (attempts at) communications.

No?

Victor

carl_townshend Thu, 06/04/2009 - 05:14

hi there

when doing this do you need to apply it to a vlan?

OR do you just do it in global config and thats it?

please confirm!

Carl

dario.didio Thu, 06/04/2009 - 05:23

Hi,

it is done in global config using following command:

vlan filter block vlan-list 39

vlan filter "VACL name" vlan-list "list of VLANs where it should be applied to"

HTH,

Dario

dario.didio Thu, 06/04/2009 - 05:21

Hi,

you are absolutely correct that if he wants to prevent 2 hosts from talking to eachother, a single entry in the ACL would be sufficient.

In this situation you would get a traffic flow like this:

host A ------ switch ------- host B

Imagine that the ACL blocks traffic from MAC A to MAC B. This would mean that if host a sends a frame to host B, it is blocked on the switch and thus never reaches host B.

Now if host B sends a frame to host A, it would be switched to host A, and the response from host A would be blocked on the switch.

This would mean that host A needs to treath the incoming data, process it and respond to it, which is eventually blocked by the switch, meaning that this causes unnecesary overhead on host A.

If the ACL is configured to block in both directions, the hosts never receive any traffic from each other, preventing this unneccesary overhead.

That is why I think it is more clean to block traffic in both ways.

Hope you can follow my thinking :-)

If you don't agree or have any other remakrs, I would be glad to here them!

Kr,

Dario

carl_townshend Thu, 06/04/2009 - 05:50

hi there

can you please give me the full commands in order to set the above up?

cheers

Carl

dario.didio Thu, 06/04/2009 - 05:57

Hi,

like stated above by Frankie, this is the config needed to apply a VLAN filter:

!ACL to filter MAC addresses of hosts that should be prevented from communicating

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

!VACL to forward or deny certain traffic

vlan access-map block 10

action drop

match mac address test

vlan access-map block 20

action forward

!filter to apply VACL on VLANs needed

vlan filter block vlan-list 39

HTH,

Dario

lamav Thu, 06/04/2009 - 17:40

Hey, Dario:

What youre saying makes perfect sense and I follow you.

Just wanted your thoughts is all...

Thanks :-)

carl_townshend Fri, 06/05/2009 - 06:21

Hi There

from reading some cisco data

it says all i need to do is type

mac access-list extended test

permit host 0016.e678.0ae0 host 0011.43bb.0ebe

permit host 0011.43bb.0ebe host 0016.e678.0ae0

can I then just apply this mac access list to a vlan ?

dario.didio Fri, 06/05/2009 - 06:44

Hi,

If you want to filter traffic inside a VLAN, than you need to use a VLAN map and a VLAN filter.

Your mac ACL is just a part of this. In this ACL you specify the traffic that needs to be matched (this ACL will match traffic between the two specified hosts).

When you've created you ACL (when you matched your traffic) you create a VLAN map.

!create VLAN map "L2-filter"

!use ACL "test" to match traffic that should be dropped

vlan access-map L2-filter 10

action drop

match mac address test

!all other traffic is forwared

vlan access-map L2-filter 20

action forward

Once your VLAN map is done, you need to apply it to a VLAN

!use VLAN map "L2-filter" in VLAN 10

vlan filter L2-filter vlan-list 10

HTH,

Dario

Actions

This Discussion