Solved: Re: Is there a way to filter VLAN according to header?

hfakoor222 · ‎05-12-2022

For example if VLAN comes from upstream and it has different subnets, is there a way for me to filter traffic based on header rather then ip addressing?

ashishr · ‎05-13-2022

Hi

Do you have secondary IP address under SVI? Depending upon the platform type you can use VLAN Access-list (VACL) to control traffic that is bridged or routed in/out of VLAN. VACLs are not supported on all platforms.

Thanks

View solution in original post

MHM Cisco World · ‎05-12-2022

Can you more elaborate

Georg Pauwen · ‎05-12-2022

Hello,

a Vlan can only have one subnet. Post a diagram of your topology that show what you want to accomplish....

ashishr · ‎05-13-2022

Hi

Do you have secondary IP address under SVI? Depending upon the platform type you can use VLAN Access-list (VACL) to control traffic that is bridged or routed in/out of VLAN. VACLs are not supported on all platforms.

Thanks

paul driver · ‎05-13-2022

Hello

If you want to filter a vlan why not just filter on the vlan tag by pruning off a trunk as a vlan resides at a layer 2 level you could apply a mac address filter for a specific host but above that then your in the relems of routed access lists at L3

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎05-13-2022

What kind of filtering? To block/drop?

If so, recall (?) MQC can match on VLAN source (if platform supported), and policy maps can have matching classes that drop all matched traffic.

hfakoor222 · ‎05-14-2022

Would policy maps be able to filter on ingress headers other than COS headers? Specifically ID headers?

Joseph W. Doherty · ‎05-14-2022

Unclear to me, what you mean by ID headers, but as example of a Catalyst 9200's policy match criteria might be, look at: match (class-map configuration). What I was referring to earlier, is "match vlan vlan-id".

MHM Cisco World · ‎05-14-2022

I want to mention here something
even if it called VLAN ACL it not mean that it filter packet/frame depend on VLAN filed, the name of ACL is mention where this ACL is apply
Port ACL "PACL" use to filter IP source/destination BUT apply in Port
VLAN ACL "VACL" use to filter IP source/destination BUT apply in SVI
Router ACL "ACL" use to filter IP source/destination BUT apply in Router port

note:- above ACL can also filter some L4 port.

hfakoor222 · ‎05-14-2022

Ok, you are correct. VACL's seemed to be a rudimentary work-around for the problem I had in mind.

Then how would I be able to filter on VLAN header?

The reason why I ask this question, was to granularly control traffic flow for the same vlan from different sources. Then the thought occured to me the same VLAN might be sourced with different subnet addressing.

I've read through a few threads where this is possible yet not commonmg

iexample:

https://community.cisco.com/t5/switching/single-vlan-can-support-multiple-subnets/td-p/1419140

Basically I would like to know if there's a way for me to filter on the VLAN header and not IP. The mac addressing filters mentioned above is one idea. I may be able to apply traffic upstream to different traffic classes and filter on that instead. The reason why I ask this is for self knowledge more than anything else.

MHM Cisco World · ‎05-14-2022

You can use same ACL you apply in SVI, it can include
primary and Secondary subnet and this solve your issue.

NOW if there is conflict that there is traffic permit for primary and deny for secondary it can solve by
config the ACL in SVI that traffic arrive from OR config ACL in router port arrive from "if from other SW/R"