07-21-2012 04:33 PM - edited 03-07-2019 07:53 AM
Hi everybody.
How is everyone doing?
h1----------sw1-----trunk-----sw2----h2
h1----199.199.199.1/24
h2----199.199.199.2/24
Both h1 and h2 are same vlan2.
We want to stop h1from reaching h2 using vacl.
We configure sw1 as:
Sw1(config)# ip access-list extended local-17
permit ip host 199.199.199.1 host 199.199.199.2
switch(config)# vlan access-map block-17 10
match ip address local-17
action drop
Switch(config)# vlan filter block-17 vlan-list 2
======================================
Will the above config on sw1 prevent h1 from reaching h2 considering the fact h1 and h2 are located on different switches?
thanks and have a great weekend.
Solved! Go to Solution.
07-21-2012 07:42 PM
Hi Sarah,
In this case you can apply the mac access list and apply it to sw1.
here is an example:
mac access-list extended test
deny host 1102.8765.0ab0 host 1102.8765.1234
vlan access-map test 10
action drop
match mac address test
vlan access-map test 50
In this case we are using vlan 50.
HTH
07-23-2012 07:06 PM
Hi Sarah,
VACL can be base on source/destination IP or MAC address. In this case, you can apply the vlan on switch 2 and deny traffic coming from h1 to h2 or vise versa.
Here is good doc on VCAL with explanation and example showing how you deny traffic within the same vlan.
http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
HTH
Reza
07-21-2012 05:01 PM
Hi Sarah,
According to the config guide you would need to apply it to the switch that has an SVI configured (layer-3).
VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.
Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map.
Here is the link:
HTH
07-21-2012 05:40 PM
Thanks Reza .
VACLs applied to VLANs are active only for VLANs with a Layer 3 VLAN interface configured.
Applying a VLAN access map to a VLAN without a Layer 3 VLAN interface creates an
administratively down Layer 3 VLAN interface to support the VLAN access map.
It means we can only use vacl on multilayer switch with svi configured for the vlan.
h1------sw2--trunk------sw3--------h2
If sw3 is layer 3 switch and has int vlan 2 in " up and Up" status,, only then we can configure vacl and that has to be on the switch configured with layer 3 svi for the vlan.
But if above is true, then consider the following case:
h1----------------sw1--------trunk-------sw3(multilayer swtch)------Rest of the network
|
h2
Sw1 is layer 2 switch, h1 and h2 are in vlan 2, Sw3 is configured with int vlan 2.
According to the link we must configure vacl on sw3 because that is the switch with active svi for vlan 2.
Now if we want to restrict traffic from h1 to h2, we will not be able to it. My understanding is since vacl is configured on sw3 therefore sw2 has no idea that traffic from h1 needs to be dropped. Consequently, Sw2 simply forwards the frame from h1 to h2. VACl is completely by passed.
I appreciate your help and as always your impressive input.
thanks and have a great weekend.
07-21-2012 07:42 PM
Hi Sarah,
In this case you can apply the mac access list and apply it to sw1.
here is an example:
mac access-list extended test
deny host 1102.8765.0ab0 host 1102.8765.1234
vlan access-map test 10
action drop
match mac address test
vlan access-map test 50
In this case we are using vlan 50.
HTH
07-21-2012 08:27 PM
Thanks Reza
However i just want to confirm my understanding based on your link and discussion.
VACl should be configured on the multilayer switch which has corresponding svi for the vlan in up and up status.
thanks and have a great weekend.
07-23-2012 12:00 PM
Hi Reza.
Does VACl requires that source and destination be connected to same switch on which vacl is configured ?
for example:
h1--acess link --sw1---trunk-----SW2(multilayer switch)----trunk--------------Sw3---access link --h2
we want to stop traffic from h1 to h2, using vacl.
We comfigure the vacl on sw2 which has svi in up and up status.
But the destination is h2 is not connected to sw2. Can we still configure vacl to stop traffic from h1 and h2 considering h2 is not directly connected to sw2.?
thanks and have a nice week.
07-23-2012 07:06 PM
Hi Sarah,
VACL can be base on source/destination IP or MAC address. In this case, you can apply the vlan on switch 2 and deny traffic coming from h1 to h2 or vise versa.
Here is good doc on VCAL with explanation and example showing how you deny traffic within the same vlan.
http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
HTH
Reza
07-23-2012 08:05 PM
thanks Reza
Few questions about the order of execution of match and action statements within a vlan access map.
Is the statement match always executed first before action in vlan access map? for e.g In the forwarded link I was reading. I noticed the following order:
SW2(config-ext-nacl)#vlan access-map VACL_STOPTELNET
SW2(config-access-map)#action drop
SW2(config-access-map)#match ip address ACL_TELNETR1_R2
Above " action" statement precedes " match" statement but yet "match" statement is executed first. I want to confirm if this is the case.
2nd thing I noticed, if action statement is listed only, it will be executed i.e an action statement does not require that a match statement be present
Below is the config from the article you forwarded. Here(Below) only action statement is listed without any match statement.
I just want to confirm that.
SW2(config-access-map)#vlan access-map VACL_STOPTELNETSW2(config-access-map)#action forward SW2(config-access-map)#exit
thanks and have a nice week.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide