Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VCAl to limit communication between devices in same vlan?

hi,

Could I use a vacl to deny two devices in the same vlan and connected to the same switch (65000) to communicate with each other and permit communication between all other devices in that vlan.

Thanks

Darren

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: VCAl to limit communication between devices in same vlan?

darrenriley5 wrote:

hi,

Could I use a vacl to deny two devices in the same vlan and connected to the same switch (65000) to communicate with each other and permit communication between all other devices in that vlan.

Thanks

Darren

access-list 101 deny ip host 192.168.5.10 host 192.168.5.11

access-list 101 deny ip host 192.168.5.11 host 192.168.5.10

access-list 102 permit ip any any

vlan access-map vfilter 10

match ip address 101

action drop

vlan access-map vfilter 20

match ip address 102

action forward

Jon

2 REPLIES
Hall of Fame Super Blue

Re: VCAl to limit communication between devices in same vlan?

darrenriley5 wrote:

hi,

Could I use a vacl to deny two devices in the same vlan and connected to the same switch (65000) to communicate with each other and permit communication between all other devices in that vlan.

Thanks

Darren

access-list 101 deny ip host 192.168.5.10 host 192.168.5.11

access-list 101 deny ip host 192.168.5.11 host 192.168.5.10

access-list 102 permit ip any any

vlan access-map vfilter 10

match ip address 101

action drop

vlan access-map vfilter 20

match ip address 102

action forward

Jon

Re: VCAl to limit communication between devices in same vlan?

Hi

VLAN ACL is not same as Access List .

VLAN ACL is not associated with any interface & The behaviour of VLAN ACL is different from Access List.

VLAN ACL can Drop the traffic that passess through switch & Create same seq to pass rest of traffic,

We can't create an ACL that  say permit 2 users & Deny 10 users.It won't work. You have to define that which user should be droped.

So to work properly you should define correct access list.

It is same as route-map , where you match the Access List & Define that whether that will be Drop or Forward or Redirect.

For More detail you can refer  the below Link

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_vlanacls.pdf

Regards

Chetan Kumar

354
Views
0
Helpful
2
Replies
CreatePlease to create content