03-30-2012 09:36 AM - edited 03-07-2019 05:52 AM
I am trying to allow hosts on a single switch to communicate with an ISCSI SAN, but block the hosts from communicating with each other. Can you tell me if the below configuration will work? All hosts and SAN NIC are in the same VLAN and host MAC's are the SAN. Thanks in advance!
mac access-list extended SAN
permit any host 0025.9012.27d6
permit any host 0025.9015.712c
permit any host 0025.9012.22aa
vlan access-map permit 10
action forward
match macc address SAN
vlan access-map permit 20
action drop
vlan filter permit vlan-list 160
03-30-2012 09:42 AM
Jason,
vlan access-map permit 10
action forward
match macc address SAN
vlan access-map permit 20
action drop
You don't really need the permit 20 line because vacls deny by default if it doesn't match any of the permits. So the rest of the traffic that doesn't match your sequence 10 will be dropped. You'll need to change the 'macc' line to 'match mac address SAN'. Other than that I don't see any issues...
HTH,
John
03-30-2012 12:08 PM
You have to be pretty careful using VACL's as there are many things such as STP, ARP, HSRP, and other L2-based protocols that will also get blocked with your ACL. Also you need to remember that a VACL is not stateful, you would need to allow rules for bidirectional forwarding between the SAN and hosts.
To implement your solution it may be easier/ more scalable to use PVLANs.
03-30-2012 03:25 PM
Hi,
Another alternative to acheive your implementation with out VACL. Configure each port on the switch that is in the same vlan to be protected. Since, it is one switch it should be easier to implement.
switchport protected
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide