Solved: access-lists on layer 3 switch

Benjamin Waldon · ‎12-17-2009

Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.

Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?

I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.

Thanks,

Ben

Jon Marshall · ‎12-17-2009

benwaldon wrote:

Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.

Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?

I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.

Thanks,

Ben

An acl applied to the L3 SVI for vlan 10 would not affect traffic between hosts in the same vlan. If you want limit traffic between hosts in the same vlan then you need use a VACL (Vlan acl).

Jon

View solution in original post

Jon Marshall · ‎12-17-2009

benwaldon wrote:

Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.

Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?

I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.

Thanks,

Ben

An acl applied to the L3 SVI for vlan 10 would not affect traffic between hosts in the same vlan. If you want limit traffic between hosts in the same vlan then you need use a VACL (Vlan acl).

Jon

Benjamin Waldon · ‎12-17-2009

ooh very nice. thanks!

do you know of any white papers on virtual acls. I will do a search for it too, but if you have it handy, that would be great.

Does virtual ACLs require any specific licensing on the switch or a specific IOS version, etc?

Thanks,

Ben

Jon Marshall · ‎12-17-2009

benwaldon wrote:

ooh very nice. thanks!

do you know of any white papers on virtual acls. I will do a search for it too, but if you have it handy, that would be great.

Does virtual ACLs require any specific licensing on the switch or a specific IOS version, etc?

Thanks,

Ben

When you say virtual acls do you mean vlan acls ?

If so you can use the config guides for your relevant switch and there will be examples in their. Presumably you know how to find config docs for your switch ?

Jon

Benjamin Waldon · ‎12-17-2009

yeah, vlan acls, sorry. Okay thanks

Jon Marshall · ‎12-17-2009

Ben

No problem. Forgot to answer last question. They should come as standard on your switch so no special license or specific IOS.

Jon