Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

VACL Config

DM812
Level 1
Level 1

‎02-01-2019 03:33 AM - edited ‎03-08-2019 05:13 PM

I want to block communication between devices within a same VLAN.

The VLAN (4) is using the 192.168.4.0/24 address range.

I have setup a VACL and applied this to the VLAN (4) but the devices can still communicate with eachother (tested using ping).

Both devices are on the same switch.

I am running this on GNS3 using the Cisco IOSvL2 image vios_l2-adventerprisek9-m.vmdk.SSA.152-4.0.55.E.

This is my config below...

 

  • SW-3#sh access-list
    Extended IP access list Restrict-Internal-VLAN4-Comm
    10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
  • SW-3#sh vlan access-map
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 10
    Match clauses:
    ip address: Restrict-Internal-VLAN4-Comm
    Action:
    drop
    Vlan access-map "Restrict-Internal-VLAN4-Comm" 20
    Match clauses:
    Action:
    forward
  • SW-3#sh vlan filter
    VLAN Map Restrict-Internal-VLAN4-Comm is filtering VLANs:
    4
  • interface GigabitEthernet0/2
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge
  • interface GigabitEthernet0/3
    switchport access vlan 4
    switchport mode access
    media-type rj45
    negotiation auto
    spanning-tree portfast edge

 

Is this an issue with my config or a GNS3 issue?

 

Thanks.

 

Labels:
0 Helpful
2 Replies 2

Mark Malone
VIP Alumni
VIP Alumni

‎02-01-2019 04:02 AM

Hi
You have not blocked ICMP in the ACL is that correct or is there more config , that's probably why the test is working
deny ICMP

The feature looks to be supported in that emulator image but they can be dodgy too

List of supported features for IOSvL2:

Layer-2 forwarding (auto-config’d), Switchport (auto-config’d), 802.1q trunk, 802.1q VLANs (auto-config’d), Spanning Tree (auto-config’d), Port-Channel (Pagp and Lacp), 802.1x passthrough, Port-ACLs, Dynamic Arp Inspection, DHCP Snooping, IP device tracking, Switched Virtual Interfaces, Layer-3 forwarding over SVIs, Routing protocol support, VTP v1-3, PVST, QoS, Inter-VLAN routing, VLAN Access Maps (VACLs / access control lists for VLANs), ACL functionality for both layer2 and layer3 protocol packets, Dynamic Trunking Protocol support, Switchport protected mode
0 Helpful

DM812
Level 1
Level 1
In response to Mark Malone

‎02-01-2019 04:47 AM - edited ‎02-01-2019 04:50 AM

ICMP should be covered in the 10 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 rule as this falls under "ip".
I have also tried changing this rule to "permit icmp any any" but I can still ping between the 2 hosts on VLAN 4.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card