Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ip standard list, vacl and vlan 1

Hi every body!

Please consider the following scenario:

router----------sw(L2)----vlan 1

vlan 1 is using 172.172.0.0/16

If i use the vlan access list on "sw" denying any traffic from 172.172.0.0, will hosts in vlan 1 be able to ping router?

2) can standard and extended access list be applied to svi?

thanks a lot!

5 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ip standard list, vacl and vlan 1

Hi Sarah,

If the router is on a different subnet than VLAN 1, then the ACL applied under SVI for VLAN 1 to deny traffic from the major network will deny VLAN 1 from pinging the router.

However if the Router is in VLAN 1 the ACL will obviously have no effect.

2) can standard and extended access list be applied to svi?

Yes both are possible.

HTH

Lejoe

Re: ip standard list, vacl and vlan 1

Hi Sarah,

Yes a VACL can filter traffic between hosts in the same VLAN, from a configuration point of view called VLAN access MAP.

I was thinking a normal ACL applied under the SVI.

HTH

Lejoe

Re: ip standard list, vacl and vlan 1

Hi Sarah,

Pick the switch that is close to the source, you would like to deny traffic from. It's always best to deny close to the source.

If you have a specific example, post it and I could provide sample config.

Lejoe

Re: ip standard list, vacl and vlan 1

Sarah,

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It should only deny traffic between H1 and SW1, i.e H1 should be able to communicate with other hosts in VLAN 1.

Lejoe

Re: ip standard list, vacl and vlan 1

Sarah,

Yes ofcourse, since this is applied on Sw2 and H1,H2 exists on SW1, they both can communicate.

With the above VLAN-access map, H1 cannot access any other hosts in VLAN 1 on SW2 (including S1).

Lejoe

10 REPLIES

Re: ip standard list, vacl and vlan 1

Hi Sarah,

If the router is on a different subnet than VLAN 1, then the ACL applied under SVI for VLAN 1 to deny traffic from the major network will deny VLAN 1 from pinging the router.

However if the Router is in VLAN 1 the ACL will obviously have no effect.

2) can standard and extended access list be applied to svi?

Yes both are possible.

HTH

Lejoe

Bronze

Re: ip standard list, vacl and vlan 1

Thanks Lejoe!

The book says" VACL" is used to deny or permit traffic within a vlan. Let say we have a layer 2 switch "sw" .sw has vlan 1 (1.1.1.0/24). That same switch is connected to default gateway(1.1.1.2)

Host1 is in vlan 1(1.1.1.3). Now we configure the VACL on sw to deny any traffic from 1.1.1.0/24.

Host 1 wants to ping gateway, Based on book, this ping would not be successful because vacl at switch will deny the traffic from any host within 1.1.0.0/16 subnet.

Is my concept correct?

One more question if you don't mind.

sw1----------sw2

both are connected by trunk. Both are layer 2 switch. Both have vlan 1. Now if i have to use vacl to block some host in vlan 1 from reaching some other hosts in vlan, where will this vacl be configured? sw1 or sw2 or both?

Thanks a lot!

Re: ip standard list, vacl and vlan 1

Hi Sarah,

Yes a VACL can filter traffic between hosts in the same VLAN, from a configuration point of view called VLAN access MAP.

I was thinking a normal ACL applied under the SVI.

HTH

Lejoe

Bronze

Re: ip standard list, vacl and vlan 1

Thanks for your reply Lejoe!

Could you please help me with following:

sw1------sw2 (both are l2 switches, each with one vlan ,vlan 1)

If i have to configure vacl, which switch i have to use? can i configure it on any switch or both switches?

Thanks a lot!

Re: ip standard list, vacl and vlan 1

Hi Sarah,

Pick the switch that is close to the source, you would like to deny traffic from. It's always best to deny close to the source.

If you have a specific example, post it and I could provide sample config.

Lejoe

Bronze

Re: ip standard list, vacl and vlan 1

I was trying to solve the book problem Which requires block the traffic from certain ip block.

I was thinking If i could use the standard access list and deny the traffic from the particular block. But i can also use VACL to get the same result.

Thanks Lejoe!

Bronze

Re: ip standard list, vacl and vlan 1

Hi Lejoe!

Based on your reply, i have one questions.

Let say two switches sw1 and sw2 have only one vlan, vlan 1.

Vlan 1 is mapped to 192.192.192.0/24

one host h1 has 192.192.192.1, connected to sw1.Another host h2 192.192.192.3 is also connected to sw1

one server has ip 192.192.192.2 ,connected to sw2

It is required no traffic from h1 should be able to reach server.

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It means vacl should be used on sw2 which has server connected to it.

My reasoning is based on if i configure vacl on sw2 , there is no way switch sw1 knows about it, thus vacl is locally significant. With vacl configured on sw2, when sw1 receives the frame from h1, it will forwards it out of port connected to sw2. When sw2 receives the frame from h1, it checks against vacl and drops the frame.

What do you think?

Thanks a lot!

Re: ip standard list, vacl and vlan 1

Sarah,

Now if i configure the vacl on sw1, all traffic from h1 will be dropped, h1 can not communicate with server but it can not communicate with h2 as well.

It should only deny traffic between H1 and SW1, i.e H1 should be able to communicate with other hosts in VLAN 1.

Lejoe

Bronze

Re: ip standard list, vacl and vlan 1

Thanks for your reply.

please consider the following scenario:

sw1----------sw2

h1 199.199.199.1

h2 199.199.199.2

s1(server) 199.199.199.3

h1,h2 are connected to sw1 and s1 is connected to sw2.

sw1 and sw2 have one vlan1

It is required to h1 should not communicate with s1.

I understand i can use extended access list to deny traffic between h1 and s1 using vacl.

I just want to know if I configure:

sw2

access-list 10 permit host 192.192.192.1

vlan access-map zee 20

match ip address 10

action drop

vlan acess-map zee 30

action forward.

vlan filter zee vlan-list 1

Will h1 be able to communicate with h2?

My hunch it should because h1 frame is not forwarded to sw2 where the vacl exits.

Thanks a lot!

Re: ip standard list, vacl and vlan 1

Sarah,

Yes ofcourse, since this is applied on Sw2 and H1,H2 exists on SW1, they both can communicate.

With the above VLAN-access map, H1 cannot access any other hosts in VLAN 1 on SW2 (including S1).

Lejoe

372
Views
0
Helpful
10
Replies