Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1586
Views
0
Helpful
2
Replies

private vlans or vlan access lists

jon_panes24
Level 1
Level 1

‎09-09-2014 01:13 PM - edited ‎03-04-2019 11:43 PM

Hi,

I was just wondering what is better to be used on a network.

A private vlan with different communities or restricting access to routed vlans by placing access-lists.

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Rajeev Sharma
Cisco Employee
Cisco Employee

‎09-09-2014 02:16 PM

Hey,

VACL is more flexible that private vlans as they come with lots of do's and dont's.

HTH.

Regards,

RS.

0 Helpful

InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎09-09-2014 05:21 PM

Hi Dear,

 Below are some thought on both the topic now you can choose which one would be easy for you:-


A) 
PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:
 
Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
 
B)
VACLs provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN. Unlike regular Cisco IOS ACLs that are configured on router interfaces and applied on routed packets only, VACLs apply to all packets.


Difference between it:
=================
PVLANs are best for when you want to segment within the same switch, whereas VACLs will apply to an entire VLAN as a whole.
 
Also, if you deployed VACLs across an entire VLAN to perform the function of PVLANS the scalabitliy and management would be a nightmare.
 
Blocking by MAC address would require you to know the MAC addresses of all the devices that would connect to your switches.
 
Blocking by IP address would require static assignment of all IP addresses on the network. Becaue if they were to change then that host likely wouldn't be able to access the resources it needed anymore. You can't block by subnet b/c everything in that VLAN (if you are using best practice) would be on the same subnet. So you would have to block by individual host addresses.

 

HTH

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card