cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
0
Helpful
7
Replies

vlan access list

sarahr202
Level 5
Level 5

Hi everybody.

host h1 and host h2 are in same vlan say vlan 5.  We must use Vlan access list to stop any communication between h1 and h2 ,considering the fact  source h1 , and destination h2 , both are located off different switches.

h1---------sw1-trunk----sw2---trunk--sw3----h2

h1  199.199.199.1

h2  199.199.199.2

============================================

vlan acceslist requires vlan access-map be configured.  Vlan access -map consists of match and action statement.

Consider the following  statement/command

Switch( config-access-map) action { drop| forward[capture] | redirect TYPE MOD/NUM }

How does the option " capture" work?

thanks and have a nice week

5 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Sarah,

Are you looking at on older version of IOS?  From a 3750 running 12.2(52), I only see drop and forward. Have a look:

Switch(config-access-map)#action ?

  drop     Drop packets

  forward  Forward packets

Switch(config-access-map)#action

HTH

View solution in original post

I see the redirect option on my 6509

6509(config-access-map)#action ?

  drop      Drop packets

  forward   Forward packets

  redirect  Redirect packets

Siddhartha

View solution in original post

s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin

seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.

Below link gives an example for capture option.

Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring

http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html

Siddhartha

View solution in original post

Thanks,

So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/chap2a.pdf

View solution in original post

Hi Sarah,

The filtering is based on the IP address of the host, so they could be in different switches.  One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.

Here is a link for reference:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Thanks,

Reza

View solution in original post

7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Sarah,

Are you looking at on older version of IOS?  From a 3750 running 12.2(52), I only see drop and forward. Have a look:

Switch(config-access-map)#action ?

  drop     Drop packets

  forward  Forward packets

Switch(config-access-map)#action

HTH

I see the redirect option on my 6509

6509(config-access-map)#action ?

  drop      Drop packets

  forward   Forward packets

  redirect  Redirect packets

Siddhartha

what ver of IOS are you running?

s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin

seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.

Below link gives an example for capture option.

Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring

http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html

Siddhartha

Thanks,

So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/command/reference/chap2a.pdf

Thanks Reza and siddhartham

If we have to block communication between two hosts in the same vlan using vlan access list,  should they be located off same switch or they could be located off different switches ?

thanks

Hi Sarah,

The filtering is based on the IP address of the host, so they could be in different switches.  One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.

Here is a link for reference:

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Thanks,

Reza

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco