07-19-2009 03:12 AM - edited 03-06-2019 06:50 AM
Hi
in my LAN i have two 4503(distribution) and 10 switch (access).I applied this VACL on two 4500.This was worked well.
vlan access-map Guest-wifi 10
action drop
match ip address deny-guest-wifi
vlan access-map Guest-wifi 20
action forward
!
vlan filter Guest-wifi vlan-list 22
ip access-list extended deny-guest-wifi
permit ip 172.24.22.0 0.0.0.255 172.24.0.0 0.0.255.255
But what I want to know how this VACL is going to deny the data of both users who have same subnet and vlan and they are located on the same access switch.
07-19-2009 09:16 AM
Hello Youssef,
your configuration look like fine.
what are the two client vlans IP subnets?
this happens on a single access switch?
I see you want to know if it is effective if two users are on the same access switch:
the VACL is effective if the access switch is providing only L2 services: in that case when a user tries to contact someone outside its subnet it sends traffic to its default gateway that should be one of the distribution nodes and so the VACL comes to play its role for users of vlan22 in that ip subnet.
If someone using a device with two NICs place a device able to perform inter vlan routing and taking the role of default gateway on vlan (using gratuitous ARPs for example) this security feature can be defeated.
For additional security you could deploy the guest vlan inside a VRF in a VRF lite context giving them only internet access.
But it is a more complex solution
Hope to help
Giuseppe
07-20-2009 02:38 AM
Hi thanks for reply
But i want know how VACL take effect in switch access when two users 172.24.22.10 and 172.24.22.11 Want to communicate without passing by distribution nodes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide