Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
3
Replies

restrict traffic within VLAN?

Go to solution
vlad09
Level 1
Level 1

‎10-04-2018 12:10 AM - edited ‎03-08-2019 04:18 PM

Hi there,

 

is there any way, how to restrict traffic within VLAN? In my case I have vlan 40 (its range is from 10.1.40.0-10.1.43.255)

I have created ACL like this and applied to vlan interface with inbound direction.

Extended IP access list tlac
    10 deny ip host 10.1.40.12 host 10.1.43.102
    20 deny ip host 10.1.40.155 host 10.1.43.102
    30 permit ip any any

where I wanted to deny first two hosts from accessing network printer, ACL doesnt work. only getting matches on permit statement.

 

Is there any way how to achieve this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to vlad09

‎10-04-2018 03:15 AM

Yes, the VLAN access-map can have multiple clauses, this are sequenced by the number you point out.

The ACL when used with a VACL is used to match traffic. So the ACL uses a permit statement. Once the traffic has been matched in a clause you then decided on an action, in this case 'drop'.

The second clause, has no match statement so will match everything else remaining which hasn't been actioned in previous clauses. In you case we want to allow this traffic to be forwarded.

 

Yes the match ip address TLAC refers to the ACL....but note that we have changed them to permit ACEs because we are matching those source/ destination IP addresses.

 

cheers,

Seb.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-04-2018 12:28 AM - edited ‎10-04-2018 12:29 AM

Hi there,

Placing an ACL on an SVI will only filter traffic which is being passed through the interface to be routed off the subnet. You devices reside on the same subnet, so a VACL is required.

Something like this:

!
ip access-list TLAC
  10 permit ip host 10.1.40.12 host 10.1.43.102
  20 permit ip host 10.1.40.155 host 10.1.43.102
!
vlan access-map DROP_TLAC 10
  match ip address TLAC
  action drop
vlan access-map DROP_TLAC 20
  action forward
  exit
!
vlan filter DROP_TLAC vlan-list xxx
!

cheers,

Seb.

0 Helpful

Go to solution
vlad09
Level 1
Level 1
In response to Seb Rupik

‎10-04-2018 12:43 AM

thank you but I dont clearly understand of VACL concept.
anyway, all I have to do is to allways create ACL, right? so basicaly, the first step it done :)

VACL:
vlan access-map DROP_TLAC - that 10 is the sequence number from extended ACL? if yes, why in the first statement you set action to drop and the second action to forward when ACL says permit? or you just made a mistake?
second:
match IP address TLAC - does it mean its gonna be looking at the addresses from the first portion of created ACL?
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to vlad09

‎10-04-2018 03:15 AM

Yes, the VLAN access-map can have multiple clauses, this are sequenced by the number you point out.

The ACL when used with a VACL is used to match traffic. So the ACL uses a permit statement. Once the traffic has been matched in a clause you then decided on an action, in this case 'drop'.

The second clause, has no match statement so will match everything else remaining which hasn't been actioned in previous clauses. In you case we want to allow this traffic to be forwarded.

 

Yes the match ip address TLAC refers to the ACL....but note that we have changed them to permit ACEs because we are matching those source/ destination IP addresses.

 

cheers,

Seb.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card