06-03-2009 10:16 PM - edited 03-06-2019 06:05 AM
Hi experts,
i have one problem here, i just want to know is it possible to block host to host communication in same vlan via the switches ACL controlled.
I found a cisco document but not working.
Many thanks
Solved! Go to Solution.
06-04-2009 01:10 AM
Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.
Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.
mac access-list extended test
permit host 0016.e678.0ae0 host 0011.43bb.0ebe
permit host 0011.43bb.0ebe host 0016.e678.0ae0
HTH,
Dario
06-04-2009 12:32 AM
Hi,
this is possible and should work.
Can you post your config?
What model of switch are you using?
Tnx,
Dario
06-04-2009 12:54 AM
Cisco 3750 as distribution switch software version: c3750-ipservicesk9-mz.122-25.SEB4.bin
Cisco 3560 as access switch
this is my config. I configured in both distributor & access switch also.
mac access-list extended test
permit host 0016.e678.0ae0 host 0011.43bb.0ebe 0x806 0x0
vlan access-map block 10
action drop
match mac address test
vlan access-map block 20
action forward
vlan filter block vlan-list 39
distribution switch configuration.
interface Vlan39
ip address 172.30.2.131 255.255.255.128
ip access-group 101 in
ip helper-address 172.30.4.73
ip helper-address 172.30.4.10
ip mask-reply
no ip redirects
standby ip 172.30.2.129
standby preempt
end
06-04-2009 01:10 AM
Are both hosts connected on the access switch? If so, you need to configure this on the access switch because L2 traffic doesn't go to the distribution switch.
Also, I wouldn't put the 0x806 and 0x0 in the ACL. This prevents all traffic between these two MAC addresses. You should also put in the reverse entry.
mac access-list extended test
permit host 0016.e678.0ae0 host 0011.43bb.0ebe
permit host 0011.43bb.0ebe host 0016.e678.0ae0
HTH,
Dario
06-04-2009 03:34 AM
Hi Dario,
It works now after i put the reverse entry. many thanks for your help.
Frankie
06-04-2009 03:41 AM
Hi,
could you plz use the rating system if my response was helpful for you?
Thanks,
Dario
06-04-2009 04:07 AM
Good morning, Dario:
Why would he have to create a reverse entry? I know he says it worked now, but I dont know how he is testing it.
His objective, he says, is to eliminate communication between 2 hosts. So if host A is blocked from talking to host B, but the reverse is not true, it shouldnt make a difference, it seems, because the host just wont respond. You will have unidirectional (attempts at) communications.
No?
Victor
06-04-2009 05:14 AM
hi there
when doing this do you need to apply it to a vlan?
OR do you just do it in global config and thats it?
please confirm!
Carl
06-04-2009 05:23 AM
Hi,
it is done in global config using following command:
vlan filter block vlan-list 39
vlan filter "VACL name" vlan-list "list of VLANs where it should be applied to"
HTH,
Dario
06-04-2009 05:21 AM
Hi,
you are absolutely correct that if he wants to prevent 2 hosts from talking to eachother, a single entry in the ACL would be sufficient.
In this situation you would get a traffic flow like this:
host A ------ switch ------- host B
Imagine that the ACL blocks traffic from MAC A to MAC B. This would mean that if host a sends a frame to host B, it is blocked on the switch and thus never reaches host B.
Now if host B sends a frame to host A, it would be switched to host A, and the response from host A would be blocked on the switch.
This would mean that host A needs to treath the incoming data, process it and respond to it, which is eventually blocked by the switch, meaning that this causes unnecesary overhead on host A.
If the ACL is configured to block in both directions, the hosts never receive any traffic from each other, preventing this unneccesary overhead.
That is why I think it is more clean to block traffic in both ways.
Hope you can follow my thinking :-)
If you don't agree or have any other remakrs, I would be glad to here them!
Kr,
Dario
06-04-2009 05:50 AM
hi there
can you please give me the full commands in order to set the above up?
cheers
Carl
06-04-2009 05:57 AM
Hi,
like stated above by Frankie, this is the config needed to apply a VLAN filter:
!ACL to filter MAC addresses of hosts that should be prevented from communicating
mac access-list extended test
permit host 0016.e678.0ae0 host 0011.43bb.0ebe
!VACL to forward or deny certain traffic
vlan access-map block 10
action drop
match mac address test
vlan access-map block 20
action forward
!filter to apply VACL on VLANs needed
vlan filter block vlan-list 39
HTH,
Dario
06-04-2009 05:40 PM
Hey, Dario:
What youre saying makes perfect sense and I follow you.
Just wanted your thoughts is all...
Thanks :-)
06-05-2009 06:21 AM
Hi There
from reading some cisco data
it says all i need to do is type
mac access-list extended test
permit host 0016.e678.0ae0 host 0011.43bb.0ebe
permit host 0011.43bb.0ebe host 0016.e678.0ae0
can I then just apply this mac access list to a vlan ?
06-05-2009 06:44 AM
Hi,
If you want to filter traffic inside a VLAN, than you need to use a VLAN map and a VLAN filter.
Your mac ACL is just a part of this. In this ACL you specify the traffic that needs to be matched (this ACL will match traffic between the two specified hosts).
When you've created you ACL (when you matched your traffic) you create a VLAN map.
!create VLAN map "L2-filter"
!use ACL "test" to match traffic that should be dropped
vlan access-map L2-filter 10
action drop
match mac address test
!all other traffic is forwared
vlan access-map L2-filter 20
action forward
Once your VLAN map is done, you need to apply it to a VLAN
!use VLAN map "L2-filter" in VLAN 10
vlan filter L2-filter vlan-list 10
HTH,
Dario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide