Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access lists on vlans

Hi all, can anyone tell me the correct way to permit traffic in and out of my L3 vlans? would I just apply the acl to the vlan? when would I use a VACL, is this just to filter L2 traffic ?

9 REPLIES
Hall of Fame Super Blue

Re: Access lists on vlans

Carl

"Hi all, can anyone tell me the correct way to permit traffic in and out of my L3 vlans?"

Using L3 acls (RACL) on the vlan interfaces.

"when would I use a VACL, is this just to filter L2 traffic ?"

Primarily yes. VACLs filter within a vlan, RACLs filter between vlans.

I thought you had passed CCNA a while back in which case you should probably know this sort of stuff. If this is a generic account ie. different people using the same username to post questions then it would help if each had their own account as we get used to the level of knowledge regular posters have and can therefore pitch the answer at the right level.

No criticism intended, just trying to be helpful.

Jon

Blue

Re: Access lists on vlans

Jon:

I commented on "Carl" a while ago, too. Its the same person -- all the posts start with "Hi, all". Either its the same person or a bot. Either way, the basic questions pour in yet credit for help given is never offered.

Hall of Fame Super Blue

Re: Access lists on vlans

Hi Victor

I suspect it's a multi-user account, altho i never thought of a bot to be honest :-), because the same questions are asked multiple times. If you did a search you could probably find this question asked in a similiar format by Carl previously.

It's a shame because while we all like to help people i find myself often not bothering to answer these questions because i suspect the answer is not really being listened to.

Jon

Bronze

Re: Access lists on vlans

I agree with what John posted, with the exception of the VACL. A VACL can be used to block Layer 3 traffic.

For instance, let's say I have a PC in VLAN 100, and I only want that PC to talk to my datacenter and the internet, and none of the other PC's on VLAN 100. Instead of creating a special subnet and a special VLAN for just this 1 PC (there are limits to the number of spanning-tree instances you can have, and with PVST every VLAN is a spanning-tree isntance), I could use a VACL to filter layer 3 traffic, the other option would be to use private VLAN's, but then I would not be able to use voice VLAN's.

I actually have something similar on my network for PCI compliance, I seperate my point-of-sale systems from all other network devices without creating additional VLAN's and subnets, it was easier than redesigning my VLAN / Subnet scheme.

HTH,

Craig

New Member

Re: Access lists on vlans

Craig,

Did you consider using 'switchport protected' to isolate the POS systems?

Aaron

Bronze

Re: Access lists on vlans

We considered protected ports briefly, but because that only protects at layer 2, that was also not a suitable solution, we needed to isolate the devices from all devices except what we intended them to talk to.

Hall of Fame Super Blue

Re: Access lists on vlans

Craig

Ahh, think i understand now. You didn't just want to limit which remote destinations the pc could talk to but also limit the local destinations the pc could talk to. Local in this sense meaning within the same vlan ?

Jon

Bronze

Re: Access lists on vlans

Yup, that's exactly it.

Craig

Hall of Fame Super Blue

Re: Access lists on vlans

Craig

"agree with what John posted, with the exception of the VACL. A VACL can be used to block Layer 3 traffic"

Agreed. I didn't mean to suggest a VACL couldn't be used that way just that the commonest use of a VACL was to block intra-vlan traffic.

"let's say I have a PC in VLAN 100, and I only want that PC to talk to my datacenter and the internet, and none of the other PC's on VLAN 100. Instead of creating a special subnet and a special VLAN for just this"

Not sure i follow this. Why could you not just use a RACL on vlan 100 interface to allow this particular PC and then block the others. Perhaps i'm not understanding.

Jon

195
Views
0
Helpful
9
Replies