Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

vlan access-map confusion

Go to solution
Jonn cos
Level 4
Level 4

‎08-23-2013 03:09 AM - edited ‎03-07-2019 03:05 PM

Hi all,

i have following scenario

3560-switch -------------------------------- 2960-Switch----------------vlan 2------------2 hosts (10.1.10.1 and 10.1.10.2)

Now for the sake of understanding, i want to block all traffic between both hosts in vlan 2. For this purpose i will use VACL and vlan access-map and i will configure it on 3560 switch (not 2960). My question is, will it block the traffic or not ? i mean traffic between 10.1.10.1 and 10.1.10.2 is before reaching 3560 so am i safe to assume that VACL wont work in this case ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-23-2013 04:47 AM

Hi John,

Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.

For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎08-23-2013 04:50 AM

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-23-2013 04:47 AM

Hi John,

Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.

For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.

Best regards,

Peter

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎08-23-2013 04:50 AM

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card