Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Is VACL required?

interface VlanX
ip address
ip access-group VLANX_block in

On 65k VSS 1440, I have an inbound ACL blocking\permiting hosts of VLANx to other VLANs.

Now there is a requirement that there is a specific host in the VLANX which should not communicate with any other
host in the same vlan and should communicate to all other VLANs.

I can think of VLAN ACLs. Here is the proposed configuration.

Router# show ip access-lists Specific_host
Extended IP access list net_10
    permit ip host

Router# show ip access-lists Any_host
Standard IP access list any_host
    permit any

Router(config)# vlan access-map TEST 10
Router(config-access-map)# match ip address Specific_host
Router(config-access-map)# action drop
Router(config-access-map)# exit
Router(config)# vlan access-map TEST 20
Router(config-access-map)# match ip address Any_host
Router(config-access-map)# action forward
Router(config-access-map)# exit

Router(config)# vlan filter TEST vlan-list X

Can you please tell me if this is the only easy way of achieving the requirement? I am still looking for a simpler solutions which will have less risk to implement. thanks

Regards Vinayak
Everyone's tags (1)

Is VACL required?

If you have one host that needs to be blocked on the same vlan, the vlan acl is the way to go. You should be fine as long as you're permitting all other hosts to forward. So according to your config, you want to deny host to anything on the network. The config looks correct as far as I can tell.

HTH, John *** Please rate all useful posts ***
CreatePlease to create content