05-12-2022 08:00 PM
For example if VLAN comes from upstream and it has different subnets, is there a way for me to filter traffic based on header rather then ip addressing?
Solved! Go to Solution.
05-13-2022 04:25 AM - edited 05-13-2022 04:26 AM
Hi
Do you have secondary IP address under SVI? Depending upon the platform type you can use VLAN Access-list (VACL) to control traffic that is bridged or routed in/out of VLAN. VACLs are not supported on all platforms.
Thanks
05-12-2022 10:31 PM
Can you more elaborate
05-12-2022 11:39 PM
Hello,
a Vlan can only have one subnet. Post a diagram of your topology that show what you want to accomplish....
05-13-2022 04:25 AM - edited 05-13-2022 04:26 AM
Hi
Do you have secondary IP address under SVI? Depending upon the platform type you can use VLAN Access-list (VACL) to control traffic that is bridged or routed in/out of VLAN. VACLs are not supported on all platforms.
Thanks
05-13-2022 02:44 PM - edited 05-15-2022 01:24 AM
Hello
If you want to filter a vlan why not just filter on the vlan tag by pruning off a trunk as a vlan resides at a layer 2 level you could apply a mac address filter for a specific host but above that then your in the relems of routed access lists at L3
05-13-2022 02:55 PM
What kind of filtering? To block/drop?
If so, recall (?) MQC can match on VLAN source (if platform supported), and policy maps can have matching classes that drop all matched traffic.
05-14-2022 12:13 PM
Would policy maps be able to filter on ingress headers other than COS headers? Specifically ID headers?
05-14-2022 03:29 PM
Unclear to me, what you mean by ID headers, but as example of a Catalyst 9200's policy match criteria might be, look at: match (class-map configuration). What I was referring to earlier, is "match vlan vlan-id".
05-14-2022 12:25 PM
I want to mention here something
even if it called VLAN ACL it not mean that it filter packet/frame depend on VLAN filed, the name of ACL is mention where this ACL is apply
Port ACL "PACL" use to filter IP source/destination BUT apply in Port
VLAN ACL "VACL" use to filter IP source/destination BUT apply in SVI
Router ACL "ACL" use to filter IP source/destination BUT apply in Router port
note:- above ACL can also filter some L4 port.
05-14-2022 01:10 PM
Ok, you are correct. VACL's seemed to be a rudimentary work-around for the problem I had in mind.
Then how would I be able to filter on VLAN header?
The reason why I ask this question, was to granularly control traffic flow for the same vlan from different sources. Then the thought occured to me the same VLAN might be sourced with different subnet addressing.
I've read through a few threads where this is possible yet not commonmg
iexample:
https://community.cisco.com/t5/switching/single-vlan-can-support-multiple-subnets/td-p/1419140
Basically I would like to know if there's a way for me to filter on the VLAN header and not IP. The mac addressing filters mentioned above is one idea. I may be able to apply traffic upstream to different traffic classes and filter on that instead. The reason why I ask this is for self knowledge more than anything else.
05-14-2022 01:22 PM - edited 05-14-2022 01:30 PM
You can use same ACL you apply in SVI, it can include
primary and Secondary subnet and this solve your issue.
NOW if there is conflict that there is traffic permit for primary and deny for secondary it can solve by
config the ACL in SVI that traffic arrive from OR config ACL in router port arrive from "if from other SW/R"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide