Jon,

Thanks for your your doc is lenghty if you solve this issue hereit will be much better will save my time

source 10.10.60.133 destintion 10.10.60.150 (want to deny all traffic b/w them)

if possible tell me where should i configure it either on access layer sw0r core layer sw ??

Are both hosts connected to the same switch ?

If so you need do it on that switch.

Jon

i believe both are on same if not then ???

Faisal

Actually i don't think it matters to be honest.

Just apply it on the access switch (assuming at least one host is connected to the access switch).

If they are both connected directly to the L3 switch then apply it there.

Be careful when applying it ie. make sure after you have denied the specific traffic you then allow all other traffic.

Jon

with extended ACL rite ??? and dont need to place on any interface or port ??

Will this solution of applying VACLs to filter traffic between 2 hosts on the same VLAN (connected to same or different switches) work if the switch is a Nexus 7K switch running nx-os? It worked for me on ios but don't seem to be working on Nexus.

Please advise

Hello,

VACLs should work on the N7K in the same way. How did you configure the VACL ? Make sure you comply with the restrictions outlined in the link below:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_010000.h...