cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

317
Views
0
Helpful
2
Replies
Highlighted
Beginner

VACL Config

I want to block communication between devices within a same VLAN.

The VLAN (4) is using the 192.168.4.0/24 address range.

I have setup a VACL and applied this to the VLAN (4) but the devices can still communicate with eachother (tested using ping).

Both devices are on the same switch.

I am running this on GNS3 using the Cisco IOSvL2 image vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.

This is my config below...

 

  • SW-3#sh access-list
    Extended IP access list Restrict-Internal-VLAN4-Comm
    10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
  • SW-3#sh vlan access-map
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 10
    Match clauses:
    ip address: Restrict-Internal-VLAN4-Comm
    Action:
    drop
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 20
    Match clauses:
    Action:
    forward
  • SW-3#sh vlan filter
    VLAN Map Restrict-Internal-VLAN4-Comm is filtering VLANs:
    4
  • interface GigabitEthernet0/2
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge
  • interface GigabitEthernet0/3
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge

 

Is this an issue with my config or a GNS3 issue?

 

Thanks.

 

Everyone's tags (4)
2 REPLIES 2
VIP Mentor

Re: VACL Config

Hi
You have not blocked ICMP in the ACL is that correct or is there more config , that's probably why the test is working
deny ICMP

The feature looks to be supported in that emulator image but they can be dodgy too

List of supported features for IOSvL2:

Layer-2 forwarding (auto-config’d), Switchport (auto-config’d), 802.1q trunk, 802.1q VLANs (auto-config’d), Spanning Tree (auto-config’d), Port-Channel (Pagp and Lacp), 802.1x passthrough, Port-ACLs, Dynamic Arp Inspection, DHCP Snooping, IP device tracking, Switched Virtual Interfaces, Layer-3 forwarding over SVIs, Routing protocol support, VTP v1-3, PVST, QoS, Inter-VLAN routing, VLAN Access Maps (VACLs / access control lists for VLANs), ACL functionality for both layer2 and layer3 protocol packets, Dynamic Trunking Protocol support, Switchport protected mode
Beginner

Re: VACL Config

ICMP should be covered in the 10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 rule as this falls under "ip".
I have also tried changing this rule to "permit icmp any any" but I can still ping between the 2 hosts on VLAN 4.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards