VACL Assistance

perptech1 · ‎03-30-2012

I am trying to allow hosts on a single switch to communicate with an ISCSI SAN, but block the hosts from communicating with each other. Can you tell me if the below configuration will work? All hosts and SAN NIC are in the same VLAN and host MAC's are the SAN. Thanks in advance!

mac access-list extended SAN

permit any host 0025.9012.27d6

permit any host 0025.9015.712c

permit any host 0025.9012.22aa

vlan access-map permit 10

action forward

match macc address SAN

vlan access-map permit 20

action drop

vlan filter permit vlan-list 160

John Blakley · ‎03-30-2012

Jason,

vlan access-map permit 10

action forward

match macc address SAN

vlan access-map permit 20

action drop

You don't really need the permit 20 line because vacls deny by default if it doesn't match any of the permits. So the rest of the traffic that doesn't match your sequence 10 will be dropped. You'll need to change the 'macc' line to 'match mac address SAN'. Other than that I don't see any issues...

HTH,

John

HTH, John *** Please rate all useful posts ***

Kyle McKay · ‎03-30-2012

You have to be pretty careful using VACL's as there are many things such as STP, ARP, HSRP, and other L2-based protocols that will also get blocked with your ACL. Also you need to remember that a VACL is not stateful, you would need to allow rules for bidirectional forwarding between the SAN and hosts.

To implement your solution it may be easier/ more scalable to use PVLANs.

Karthik Kumar Thatikonda · ‎03-30-2012

Hi,

Another alternative to acheive your implementation with out VACL. Configure each port on the switch that is in the same vlan to be protected. Since, it is one switch it should be easier to implement.

switchport protected