12-13-2012 12:01 PM
i recently bought the sf 300-8 L3 switch and i noticed that the ACL rules are binded to ports and not vlans
but what is the point of defining vlans if the rules i make belong to ports?
if i have,lets say 20 ports to one vlan, i have to bind the same rule to 20 ports instead of binding them to vlan that the ports belong?
if the port is a trunk port and the acl is binded to the port and not to vlan the whole filtering is based only to the ip address and not to vlan?
i dont understand it,it is as if at L3 mode,building vlans is redundant and all the work is made with acls and ports
i thought that L3 switch is about interconnect vlans and not ports
is there something i havent understand?
12-13-2012 01:02 PM
Hi DDD, the ACL is ingress only, the limitation would be to the physical port or channel group. The ACL also will not affect any egress traffic. In your scenario, you're correct, the ACL would be bound to 20 ports instead of a SVI.
-Tom
Please mark answered for helpful posts
12-13-2012 01:12 PM
So,where the vlans come to use?do i gain something if i define vlans or just use acl with ports?
12-13-2012 01:21 PM
DDD, this depends on your needs. If you need to separate traffic like voice and video vs data then a vlan is very beneficial. Or a need to separate a large amount of hosts. If you just need to restrict a host from another host then a vlan or ACL will accomplish this.
Depending on the complexity of the task, if it's 1-2 hosts, then I'd just make a small ACL. If it were 100 hosts that shouldn't particularly communicate to a resource then I'd think a vlan is more prudent depending how your network can handle traffic.
-Tom
Please mark answered for helpful posts
12-13-2012 01:33 PM
As i understand by default all vlans i make communicate with each other and the only way tha i have to define which vlan can communicate to which vlan is by defining acl and binding to the ports that are assigned to these vlans,is tha right?
12-13-2012 01:42 PM
DDD, no this is not correctly. In a layer 3 environment, a few requirements must be met;
config t
vlan database
vlan 2
config t
int vlan 1
ip address 192.168.1.254 /24
int vlan 2
ip address 192.168.2.254 /24
config t
int gi2
switchport mode access
switchport access vlan 2
HOST A
IP 192.168.1.10
MASK 255.255.255.0
GATEWAY 192.168.1.254
HOST B
IP 192.168.2.10
MASK 255.255.255.0
GATEWAY 192.168.2.254
With these steps in theory there should be intervlan communication provided things like firewalls or security software do not block things like ICMP. Once connected the way you want or as my example describes, you may make an access list something like
config t
ip access-list extended test
deny ip 192.168.2.10 0.0.0.0 192.168.1.0 0.0.0.255
permit ip any any
int gi2
service-acl input test
The example acl will stop 192.168.2.10 to access 192.168.1.0 network all together while permit any other traffic from the 192.168.2.10 host to access anything else with the assumption you're connecting the 192.168.2.10 host on port gi2 of the switch which would be a member of vlan 2.
-Tom
Please mark answered for helpful posts
12-13-2012 01:57 PM
If i dont make the vlans and just make the acl rules that you wrote and give different networks to pc's like the ones that you made and then bind the rules to the ports that these pc's are,will it be different than the configuration you made?
12-13-2012 07:58 PM
DDD, there is another way which is not best practice. You can put 2 ip addresses on a single vlan interface.
-Tom
Please mark answered for helpful posts
12-14-2012 01:23 AM
to your example
if i connect a dsl router on vlan 1 with ip 192.168.1.1 and a pc on vlan 2 with ip 192.168.2.1
default gateway of pc would be 192.168.2.254
but dns ip of the pc would be 192.168.1.1 or 192.168.2.254?
and do i have to add a static route to the dsl router that says
the network 192.168.2.0 255.255.255.0 send it to 192.168.1.254 ?
12-14-2012 05:05 AM
Here is a working example-
https://supportforums.cisco.com/thread/2123434
-Tom
Please mark answered for helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide