10-04-2018 12:10 AM - edited 03-08-2019 04:18 PM
Hi there,
is there any way, how to restrict traffic within VLAN? In my case I have vlan 40 (its range is from 10.1.40.0-10.1.43.255)
I have created ACL like this and applied to vlan interface with inbound direction.
Extended IP access list tlac
10 deny ip host 10.1.40.12 host 10.1.43.102
20 deny ip host 10.1.40.155 host 10.1.43.102
30 permit ip any any
where I wanted to deny first two hosts from accessing network printer, ACL doesnt work. only getting matches on permit statement.
Is there any way how to achieve this?
Solved! Go to Solution.
10-04-2018 03:15 AM
Yes, the VLAN access-map can have multiple clauses, this are sequenced by the number you point out.
The ACL when used with a VACL is used to match traffic. So the ACL uses a permit statement. Once the traffic has been matched in a clause you then decided on an action, in this case 'drop'.
The second clause, has no match statement so will match everything else remaining which hasn't been actioned in previous clauses. In you case we want to allow this traffic to be forwarded.
Yes the match ip address TLAC refers to the ACL....but note that we have changed them to permit ACEs because we are matching those source/ destination IP addresses.
cheers,
Seb.
10-04-2018 12:28 AM - edited 10-04-2018 12:29 AM
Hi there,
Placing an ACL on an SVI will only filter traffic which is being passed through the interface to be routed off the subnet. You devices reside on the same subnet, so a VACL is required.
Something like this:
! ip access-list TLAC 10 permit ip host 10.1.40.12 host 10.1.43.102 20 permit ip host 10.1.40.155 host 10.1.43.102 ! vlan access-map DROP_TLAC 10 match ip address TLAC action drop vlan access-map DROP_TLAC 20 action forward exit ! vlan filter DROP_TLAC vlan-list xxx !
cheers,
Seb.
10-04-2018 12:43 AM
10-04-2018 03:15 AM
Yes, the VLAN access-map can have multiple clauses, this are sequenced by the number you point out.
The ACL when used with a VACL is used to match traffic. So the ACL uses a permit statement. Once the traffic has been matched in a clause you then decided on an action, in this case 'drop'.
The second clause, has no match statement so will match everything else remaining which hasn't been actioned in previous clauses. In you case we want to allow this traffic to be forwarded.
Yes the match ip address TLAC refers to the ACL....but note that we have changed them to permit ACEs because we are matching those source/ destination IP addresses.
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide