cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
315
Views
3
Helpful
2
Replies

Issue with VLAN Access Map

youssef_1985
Level 1
Level 1

Hi

in my LAN i have two 4503(distribution) and 10 switch (access).I applied this VACL on two 4500.This was worked well.

vlan access-map Guest-wifi 10

action drop

match ip address deny-guest-wifi

vlan access-map Guest-wifi 20

action forward

!

vlan filter Guest-wifi vlan-list 22

ip access-list extended deny-guest-wifi

permit ip 172.24.22.0 0.0.0.255 172.24.0.0 0.0.255.255

But what I want to know how this VACL is going to deny the data of both users who have same subnet and vlan and they are located on the same access switch.

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Youssef,

your configuration look like fine.

what are the two client vlans IP subnets?

this happens on a single access switch?

I see you want to know if it is effective if two users are on the same access switch:

the VACL is effective if the access switch is providing only L2 services: in that case when a user tries to contact someone outside its subnet it sends traffic to its default gateway that should be one of the distribution nodes and so the VACL comes to play its role for users of vlan22 in that ip subnet.

If someone using a device with two NICs place a device able to perform inter vlan routing and taking the role of default gateway on vlan (using gratuitous ARPs for example) this security feature can be defeated.

For additional security you could deploy the guest vlan inside a VRF in a VRF lite context giving them only internet access.

But it is a more complex solution

Hope to help

Giuseppe

Hi thanks for reply

But i want know how VACL take effect in switch access when two users 172.24.22.10 and 172.24.22.11 Want to communicate without passing by distribution nodes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: