Re: Access lists on vlans

carl_townshend · ‎09-29-2009

Hi all, can anyone tell me the correct way to permit traffic in and out of my L3 vlans? would I just apply the acl to the vlan? when would I use a VACL, is this just to filter L2 traffic ?

Jon Marshall · ‎09-29-2009

Carl

"Hi all, can anyone tell me the correct way to permit traffic in and out of my L3 vlans?"

Using L3 acls (RACL) on the vlan interfaces.

"when would I use a VACL, is this just to filter L2 traffic ?"

Primarily yes. VACLs filter within a vlan, RACLs filter between vlans.

I thought you had passed CCNA a while back in which case you should probably know this sort of stuff. If this is a generic account ie. different people using the same username to post questions then it would help if each had their own account as we get used to the level of knowledge regular posters have and can therefore pitch the answer at the right level.

No criticism intended, just trying to be helpful.

Jon

lamav · ‎09-29-2009

Jon:

I commented on "Carl" a while ago, too. Its the same person -- all the posts start with "Hi, all". Either its the same person or a bot. Either way, the basic questions pour in yet credit for help given is never offered.

Jon Marshall · ‎09-29-2009

Hi Victor

I suspect it's a multi-user account, altho i never thought of a bot to be honest :-), because the same questions are asked multiple times. If you did a search you could probably find this question asked in a similiar format by Carl previously.

It's a shame because while we all like to help people i find myself often not bothering to answer these questions because i suspect the answer is not really being listened to.

Jon

xcz504d1114 · ‎09-29-2009

I agree with what John posted, with the exception of the VACL. A VACL can be used to block Layer 3 traffic.

For instance, let's say I have a PC in VLAN 100, and I only want that PC to talk to my datacenter and the internet, and none of the other PC's on VLAN 100. Instead of creating a special subnet and a special VLAN for just this 1 PC (there are limits to the number of spanning-tree instances you can have, and with PVST every VLAN is a spanning-tree isntance), I could use a VACL to filter layer 3 traffic, the other option would be to use private VLAN's, but then I would not be able to use voice VLAN's.

I actually have something similar on my network for PCI compliance, I seperate my point-of-sale systems from all other network devices without creating additional VLAN's and subnets, it was easier than redesigning my VLAN / Subnet scheme.

HTH,

Craig

aaron.ajello · ‎09-29-2009

Craig,

Did you consider using 'switchport protected' to isolate the POS systems?

Aaron

xcz504d1114 · ‎09-29-2009

We considered protected ports briefly, but because that only protects at layer 2, that was also not a suitable solution, we needed to isolate the devices from all devices except what we intended them to talk to.

Jon Marshall · ‎09-29-2009

Craig

Ahh, think i understand now. You didn't just want to limit which remote destinations the pc could talk to but also limit the local destinations the pc could talk to. Local in this sense meaning within the same vlan ?

Jon

xcz504d1114 · ‎09-29-2009

Yup, that's exactly it.

Craig

Jon Marshall · ‎09-29-2009

Craig

"agree with what John posted, with the exception of the VACL. A VACL can be used to block Layer 3 traffic"

Agreed. I didn't mean to suggest a VACL couldn't be used that way just that the commonest use of a VACL was to block intra-vlan traffic.

"let's say I have a PC in VLAN 100, and I only want that PC to talk to my datacenter and the internet, and none of the other PC's on VLAN 100. Instead of creating a special subnet and a special VLAN for just this"

Not sure i follow this. Why could you not just use a RACL on vlan 100 interface to allow this particular PC and then block the others. Perhaps i'm not understanding.

Jon