×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

vlan access-map confusion

Answered Question
Aug 23rd, 2013
User Badges:

Hi all,


i have following scenario


3560-switch -------------------------------- 2960-Switch----------------vlan 2------------2 hosts (10.1.10.1 and 10.1.10.2)


Now for the sake of understanding, i want to block all traffic between both hosts in vlan 2. For this purpose i will use VACL and vlan access-map and i will configure it on 3560 switch (not 2960). My question is, will it block the traffic or not ? i mean traffic between 10.1.10.1 and 10.1.10.2 is before reaching 3560 so am i safe to assume that VACL wont work in this case ?

Correct Answer by John Blakley about 3 years 12 months ago

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.



HTH,
John

*** Please rate all useful posts ***

Correct Answer by Peter Paluch about 3 years 12 months ago

Hi John,


Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.


For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Peter Paluch Fri, 08/23/2013 - 04:47
User Badges:
  • Cisco Employee,

Hi John,


Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.


For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.


Best regards,

Peter

Correct Answer
John Blakley Fri, 08/23/2013 - 04:50
User Badges:
  • Purple, 4500 points or more

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.



HTH,
John

*** Please rate all useful posts ***

Actions

This Discussion