cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
490
Views
0
Helpful
2
Replies
Highlighted
Beginner

VACL Config

I want to block communication between devices within a same VLAN.

The VLAN (4) is using the 192.168.4.0/24 address range.

I have setup a VACL and applied this to the VLAN (4) but the devices can still communicate with eachother (tested using ping).

Both devices are on the same switch.

I am running this on GNS3 using the Cisco IOSvL2 image vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.

This is my config below...

 

  • SW-3#sh access-list
    Extended IP access list Restrict-Internal-VLAN4-Comm
    10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
  • SW-3#sh vlan access-map
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 10
    Match clauses:
    ip address: Restrict-Internal-VLAN4-Comm
    Action:
    drop
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 20
    Match clauses:
    Action:
    forward
  • SW-3#sh vlan filter
    VLAN Map Restrict-Internal-VLAN4-Comm is filtering VLANs:
    4
  • interface GigabitEthernet0/2
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge
  • interface GigabitEthernet0/3
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge

 

Is this an issue with my config or a GNS3 issue?

 

Thanks.

 

2 REPLIES 2
Highlighted
VIP Mentor

Hi
You have not blocked ICMP in the ACL is that correct or is there more config , that's probably why the test is working
deny ICMP

The feature looks to be supported in that emulator image but they can be dodgy too

List of supported features for IOSvL2:

Layer-2 forwarding (auto-config’d), Switchport (auto-config’d), 802.1q trunk, 802.1q VLANs (auto-config’d), Spanning Tree (auto-config’d), Port-Channel (Pagp and Lacp), 802.1x passthrough, Port-ACLs, Dynamic Arp Inspection, DHCP Snooping, IP device tracking, Switched Virtual Interfaces, Layer-3 forwarding over SVIs, Routing protocol support, VTP v1-3, PVST, QoS, Inter-VLAN routing, VLAN Access Maps (VACLs / access control lists for VLANs), ACL functionality for both layer2 and layer3 protocol packets, Dynamic Trunking Protocol support, Switchport protected mode
Highlighted

ICMP should be covered in the 10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 rule as this falls under "ip".
I have also tried changing this rule to "permit icmp any any" but I can still ping between the 2 hosts on VLAN 4.

Content for Community-Ad