Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3164
Views
5
Helpful
6
Replies

VACL or SVI AVL

nir.fisher
Level 1
Level 1

‎12-01-2010 05:37 AM - edited ‎03-04-2019 10:38 AM

hi

could someone explain what is the difference between applying an ACL to an SVI on a switch or applying a VACL to a vlan?

thanks

Labels:
0 Helpful
6 Replies 6

rtjensen4
Level 4
Level 4

‎12-01-2010 01:36 PM

You apply an ACL to the SVI to control how traffic is routedBETWEEN VLANs on an L3 switch. An ACL applied to an SVI does nothing to control the traffic on the VLAN itself. The VLAN will carry whatever traffic is passed to it, with not filtering happening until it's routed.

Example:

This would deny any TCP traffic from VLAN1 to VLAN2

interface vlan1

ip address 192.168.1.1 255.255.255.0

access-group 1 in

!

interface vlan2

ip address 192.168.2.1 255.255.255.0

access-list 1 deny tcp any 192.168.2.0 0.0.0.255

The VACL is applied to a VLAN to control traffic WITHIN a VLAN. Ordinarily, you can't stop Host1 from talking to Host2 if they're connected to the same switch in the same VLAN. If they were in seperate VLANs, you could apply an ACL to the SVI to do it, but on the same VLAN, there's no filtering. This is where the VACL comes into play. The VACL applies to traffic in the VLAN. You can use a regular access-list or a mac-address access-list for this.

Example:

This would deny traffic destined to port 80 on vlan 1

vlan access-map test1 10
action drop
match ip address 110

!

access-list 110 permit tcp any any eq 80

!

vlan filter test1 vlan 1

HTH

Ryan

0 Helpful

nir.fisher
Level 1
Level 1
In response to rtjensen4

‎12-04-2010 11:20 AM

thanks , excellent stuff !!

youv' been allot of help

another question, if I apply a VACL to deny traffic to a certain host would that effect traffic coming to that host from a different vlan as well as

traffic from same vlan ?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to nir.fisher

‎12-04-2010 11:38 AM

Hi,

VACL is  for intra VLAN traffic otherwise you use a RACL.

Regards.

Don't forget to rate helpful posts.

nir.fisher
Level 1
Level 1
In response to cadet alain

‎12-04-2010 12:16 PM

thanks , but you didnt answer my question , would inter-vlan traffic to a certain host  be effected by an intra-vlan ACL regarding that host ?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to nir.fisher

‎12-06-2010 03:52 AM 

nir.fisher wrote:
thanks , excellent stuff !!
youv' been allot of help
another question, if I apply a VACL to deny traffic to a certain host would that effect traffic coming to that host from a different vlan as well as
traffic from same vlan ?

Yes it would. A VACL applies to to all traffic within that vlan. Once the traffic is routed onto that vlan then the VACL will be applied.

Jon

0 Helpful

nir.fisher
Level 1
Level 1
In response to Jon Marshall

‎12-07-2010 01:29 AM

thanks for all the help

0 Helpful
Customers Also Viewed These Support Documents