Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vlan access-map confusion

Hi all,

i have following scenario

3560-switch -------------------------------- 2960-Switch----------------vlan 2------------2 hosts (10.1.10.1 and 10.1.10.2)

Now for the sake of understanding, i want to block all traffic between both hosts in vlan 2. For this purpose i will use VACL and vlan access-map and i will configure it on 3560 switch (not 2960). My question is, will it block the traffic or not ? i mean traffic between 10.1.10.1 and 10.1.10.2 is before reaching 3560 so am i safe to assume that VACL wont work in this case ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

vlan access-map confusion

Hi John,

Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.

For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.

Best regards,

Peter

vlan access-map confusion

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
2 REPLIES
Cisco Employee

vlan access-map confusion

Hi John,

Your assumption is correct - the VACL placed on the 3560 switch will have no effect. VACLs are effective only on the switch where they are configured and applied. As the 10.1.10.1 and 10.1.10.2 are connected to the 2960, their mutual communication will be handled by the 2960 alone (the traffic has no reason to go to 3560 and back), and thus the VACL on the 3560 will never see the corresponding packets - so it can not act on them.

For your information, the VACLs appear to be working also on 2960 with recent IOS versions although they do not appear to be supported officially. Nevertheless, the commands are there and as far as we have tested them, they appear to work just fine.

Best regards,

Peter

vlan access-map confusion

I don't believe the traffic will leave the 2960 switch, so the vacl isn't going to help on the 3560. The cam table on the 2960 will have the two associated ports and mac addresses on those ports, so all traffic between the two hosts should stay local.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
146
Views
0
Helpful
2
Replies
CreatePlease to create content