Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
Bronze

vlan access list

Hi everybody.

host h1 and host h2 are in same vlan say vlan 5.  We must use Vlan access list to stop any communication between h1 and h2 ,considering the fact  source h1 , and destination h2 , both are located off different switches.

h1---------sw1-trunk----sw2---trunk--sw3----h2

h1  199.199.199.1

h2  199.199.199.2

============================================

vlan acceslist requires vlan access-map be configured.  Vlan access -map consists of match and action statement.

Consider the following  statement/command

Switch( config-access-map) action { drop| forward[capture] | redirect TYPE MOD/NUM }

How does the option " capture" work?

thanks and have a nice week

Everyone's tags (4)
5 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Super Bronze

vlan access list

Hi Sarah,

Are you looking at on older version of IOS?  From a 3750 running 12.2(52), I only see drop and forward. Have a look:

Switch(config-access-map)#action ?

  drop     Drop packets

  forward  Forward packets

Switch(config-access-map)#action

HTH

Silver

vlan access list

I see the redirect option on my 6509

6509(config-access-map)#action ?

  drop      Drop packets

  forward   Forward packets

  redirect  Redirect packets

Siddhartha
Silver

Re: vlan access list

s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin

seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.

Below link gives an example for capture option.

Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring

http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html

Siddhartha
VIP Super Bronze

vlan access list

Thanks,

So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/chap2a.pdf

VIP Super Bronze

vlan access list

Hi Sarah,

The filtering is based on the IP address of the host, so they could be in different switches.  One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.

Here is a link for reference:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Thanks,

Reza

7 REPLIES
VIP Super Bronze

vlan access list

Hi Sarah,

Are you looking at on older version of IOS?  From a 3750 running 12.2(52), I only see drop and forward. Have a look:

Switch(config-access-map)#action ?

  drop     Drop packets

  forward  Forward packets

Switch(config-access-map)#action

HTH

Silver

vlan access list

I see the redirect option on my 6509

6509(config-access-map)#action ?

  drop      Drop packets

  forward   Forward packets

  redirect  Redirect packets

Siddhartha
VIP Super Bronze

vlan access list

what ver of IOS are you running?

Silver

Re: vlan access list

s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin

seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.

Below link gives an example for capture option.

Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring

http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html

Siddhartha
VIP Super Bronze

vlan access list

Thanks,

So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/chap2a.pdf

Bronze

vlan access list

Thanks Reza and siddhartham

If we have to block communication between two hosts in the same vlan using vlan access list,  should they be located off same switch or they could be located off different switches ?

thanks

VIP Super Bronze

vlan access list

Hi Sarah,

The filtering is based on the IP address of the host, so they could be in different switches.  One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.

Here is a link for reference:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Thanks,

Reza

815
Views
0
Helpful
7
Replies
CreatePlease to create content