Solved: How to deny the same network L2 layer? - Page 2 - Cisco Community

403

Views

5

Helpful

23

Replies

We want to isolate PC1 and PC2.
PC1 and PC2 are not subject to the ACL because they are in the same network.
Is a Private vlan appropriate?
Any ideas?

23 Replies 23

VACL is filter inter and intra VLAN traffic.
he need to make host reach the GW to connect to other subnet

MHM

Hello @MHM Cisco World

VACL is filter inter and intra VLAN traffic.
he need to make host reach the GW to connect to other subnet

MHM

Inter-vlan traffic will still work

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

@JustTakeTheFirstStep

Private vlan or Mac access list

Hello
VACLS/PVLANs are both ways of negating connectivity between multiple host within the same vlan however for just a single PC-PC
you can use a protected port

PC1 & PC2
int x/x
switchport protected

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011101.html

Hello
Yeah apologies..I realised after i posted your OP has switch interconnects, it does only work hosts on the same switch its a little one to beware of in case such a need cases arises ( depending that if the switch ios supports it, as its a rather old feature)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello

FYI- by default there is a deny stanza in vacls so all you need in this instance to append a manual drop action and permit everything else

Try the following:

access-list 100 permit ip 144.144.144.0 0.0.0.255 144.144.144.0 0.0.0.255

vlan access-map VACL
match ip address 100
action drop

vlan access-map VACL 100
action forward

vlan filter VACL vlan-list 144

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

But the gateway is still denied.
Test was successful as per MHM's answer
Thank you very much for your continued interest.

Hello
you do not need to reach the gateway it will still work (intervlan routing ) that is for the filtered vlan 144

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card