×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VACL Assistance

Unanswered Question
Mar 30th, 2012
User Badges:

I am trying to allow hosts on a single switch to communicate with an ISCSI SAN, but block the hosts from communicating with each other.  Can you tell me if the below configuration will work?  All hosts and SAN NIC are in the same VLAN and host MAC's are the SAN. Thanks in advance!


mac access-list extended SAN

permit any host 0025.9012.27d6

permit any host 0025.9015.712c

permit any host 0025.9012.22aa


vlan access-map permit 10

action forward

match macc address SAN


vlan access-map permit 20

action drop


vlan filter permit vlan-list 160

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Fri, 03/30/2012 - 09:42
User Badges:
  • Purple, 4500 points or more

Jason,


vlan access-map permit 10

action forward

match macc address SAN


vlan access-map permit 20

action drop


You don't really need the permit 20 line because vacls deny by default if it doesn't match any of the permits. So the rest of the traffic that doesn't match your sequence 10 will be dropped. You'll need to change the 'macc' line to 'match mac address SAN'. Other than that I don't see any issues...


HTH,

John

Kyle McKay Fri, 03/30/2012 - 12:08
User Badges:
  • Bronze, 100 points or more

You have to be pretty careful using VACL's as there are many things such as STP, ARP, HSRP, and other L2-based protocols that will also get blocked with your ACL. Also you need to remember that a VACL is not stateful, you would need to allow rules for bidirectional forwarding between the SAN and hosts.



To implement your solution it may be easier/ more scalable to use PVLANs.

Karthik Kumar T... Fri, 03/30/2012 - 15:25
User Badges:
  • Cisco Employee,

Hi,


Another alternative to acheive your implementation with out VACL. Configure each port on the switch that is in the same vlan to be protected. Since, it is one switch it should be easier to implement.

switchport protected

Actions

This Discussion