Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Is VACL required?

interface VlanX
ip address 10.0.0.0 255.255.255.0
ip access-group VLANX_block in
end

On 65k VSS 1440, I have an inbound ACL blocking\permiting hosts of VLANx to other VLANs.

Now there is a requirement that there is a specific host in the VLANX which should not communicate with any other
host in the same vlan and should communicate to all other VLANs.

I can think of VLAN ACLs. Here is the proposed configuration.

Router# show ip access-lists Specific_host
Extended IP access list net_10
    permit ip host 10.0.0.1 10.0.0.0 0.0.0.255

Router# show ip access-lists Any_host
Standard IP access list any_host
    permit any


Router(config)# vlan access-map TEST 10
Router(config-access-map)# match ip address Specific_host
Router(config-access-map)# action drop
Router(config-access-map)# exit
Router(config)# vlan access-map TEST 20
Router(config-access-map)# match ip address Any_host
Router(config-access-map)# action forward
Router(config-access-map)# exit


Router(config)# vlan filter TEST vlan-list X

Can you please tell me if this is the only easy way of achieving the requirement? I am still looking for a simpler solutions which will have less risk to implement. thanks

Regards Vinayak
Everyone's tags (1)
1 REPLY

Is VACL required?

If you have one host that needs to be blocked on the same vlan, the vlan acl is the way to go. You should be fine as long as you're permitting all other hosts to forward. So according to your config, you want to deny host 10.0.0.1 to anything on the 10.0.0.0/24 network. The config looks correct as far as I can tell.

HTH, John *** Please rate all useful posts ***
147
Views
2
Helpful
1
Replies
CreatePlease to create content