vlan acl's at switch

mialbert · ‎06-13-2014

I have a 3560 switch that has multiple vlan's defined on it. Currently, there are acl's on the switch that keep one vlan from passing traffic to another vlan(each vlan should be distinct because they are seperate entity's). We are having issues duplicating this functionality on another switch(a 2960). Are the vlan's really necessary? Will the default behavior of a vlan keep traffic from being passed among the vlan's anyway?

Gary Paciello · ‎06-16-2014

Hello there,

Your post raises a couple of Qs...

"Currently, there are acl's on the switch that keep one vlan from passing traffic to another vlan..." First of all, I guess we should know a bit more about your topology, but in order for Vlans to communicate they need to be routed. A router with one interface on each vlan or a router-on-a-stick setup.

"Are the vlan's really necessary?" It depends, what is the objective?

"Will the default behavior of a vlan keep traffic from being passed among the vlan's anyway?" You need to think about Vlans as individual networks. Therefore, in order for them to be able to communicate they need to do so through a router. This cannot be accomplish with just ACLs. (If I am mistaken, I would love to know how it is done).

What is your topology like and what is the main objective?

mialbert · ‎06-23-2014

Don't want vlan's to communicate between each other, in this case. Believe i will need acl's to stop this behavior.

Gary Paciello · ‎06-23-2014

Hi mialbert,

I am beginning to have doubts about what you mean by "communicate between them" but again, Vlans behave as different/separate networks, they do not/cannot communicate between them natively, they need a router to do so.

Also, ACLs can filter IP addresses but they DO NOT route IPs.

Am I not understanding your question? I do apologize if that is the case...