04-23-2012 07:21 PM - edited 03-07-2019 06:18 AM
Hello Experts...
I was reading about VACL where I understand we can use VACL to permit/deny the traffic on particlular V-LAN. I have some concerns stated below so please answer them:
There is something that I am missing in understanding point of view and need your remarks so that the things to be polished.
Thanks...!!
Solved! Go to Solution.
04-24-2012 03:38 AM
VACLs are used to restrict traffic within or out of a vlan, but acls can only control what's routed between vlans.
For example, if you had 2 vlans: vlan 10 and vlan 20
int vlan 10
ip address 192.168.10.1 255.255.255.0
int vlan 20
ip address 192.168.20.1 255.255.255.0
With an acl, you can block traffic from a host in vlan 10 going to vlan 20:
ip access-list ext No20
deny ip host 192.168.10.50 host 192.168.20.50
permit ip any any
You wouldn't be able to control a host from vlan 10 communicating to another host in vlan 10:
(This wouldn't work without a vacl)
ip access-list ext No10
deny ip host 192.168.10.50 host 192.168.10.75
permit ip host any any
It would still be able to communicate unless you used vacls.
John
04-23-2012 07:35 PM
Hi,
Have a look at the config guide (link below). It goes over VACL, ACL, the difference, where and how they are used and deployed:
HTH
04-23-2012 10:13 PM
Can someone refer an example, if possible. It would be better to understand the scenario. Thanks.
04-24-2012 12:09 AM
04-24-2012 12:52 AM
Have no problem in configuration... need to understand the benefits of using VACL even the requirment can be completed by using the access lists.. Is VACL based on L2 switches???? Please provide an example for better understanding. Thanks.
04-24-2012 03:38 AM
VACLs are used to restrict traffic within or out of a vlan, but acls can only control what's routed between vlans.
For example, if you had 2 vlans: vlan 10 and vlan 20
int vlan 10
ip address 192.168.10.1 255.255.255.0
int vlan 20
ip address 192.168.20.1 255.255.255.0
With an acl, you can block traffic from a host in vlan 10 going to vlan 20:
ip access-list ext No20
deny ip host 192.168.10.50 host 192.168.20.50
permit ip any any
You wouldn't be able to control a host from vlan 10 communicating to another host in vlan 10:
(This wouldn't work without a vacl)
ip access-list ext No10
deny ip host 192.168.10.50 host 192.168.10.75
permit ip host any any
It would still be able to communicate unless you used vacls.
John
04-26-2012 12:36 AM
Thanks John... I appreciate your valuable response... you are gr8.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide