Solved: VACL on Switch

ray_stone · ‎04-23-2012

Hello Experts...

I was reading about VACL where I understand we can use VACL to permit/deny the traffic on particlular V-LAN. I have some concerns stated below so please answer them:

On L3 Switch, we can assign the IP Address to V-LAN (Suppose the V-LAN ID is 10 and IP Address is 192.168.1.1/24) then automatically the machines traffic which have different IP assigned except the IP 192.168.1.x/24 can not be allow by the interface so why we should use the VACL if the requirement is still completing by assigning the IP Address to V-LAN ID.
As I know, we can use the standard and extended access lists on all the switche models of Cisco so again my question is as to why we should VACL.

There is something that I am missing in understanding point of view and need your remarks so that the things to be polished.

Thanks...!!

John Blakley · ‎04-24-2012

VACLs are used to restrict traffic within or out of a vlan, but acls can only control what's routed between vlans.

For example, if you had 2 vlans: vlan 10 and vlan 20

int vlan 10

ip address 192.168.10.1 255.255.255.0

int vlan 20

ip address 192.168.20.1 255.255.255.0

With an acl, you can block traffic from a host in vlan 10 going to vlan 20:

ip access-list ext No20

deny ip host 192.168.10.50 host 192.168.20.50

permit ip any any

You wouldn't be able to control a host from vlan 10 communicating to another host in vlan 10:

(This wouldn't work without a vacl)

ip access-list ext No10

deny ip host 192.168.10.50 host 192.168.10.75

permit ip host any any

It would still be able to communicate unless you used vacls.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Reza Sharifi · ‎04-23-2012

Hi,

Have a look at the config guide (link below). It goes over VACL, ACL, the difference, where and how they are used and deployed:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

HTH

ray_stone · ‎04-23-2012

Can someone refer an example, if possible. It would be better to understand the scenario. Thanks.

ohassairi · ‎04-24-2012

example:

http://hassairi.50megs.com/sw.html#vacl

ray_stone · ‎04-24-2012

Have no problem in configuration... need to understand the benefits of using VACL even the requirment can be completed by using the access lists.. Is VACL based on L2 switches???? Please provide an example for better understanding. Thanks.

John Blakley · ‎04-24-2012