Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
5
Replies

VLAN ACL

Go to solution
stephan.sieger
Level 1
Level 1

‎08-29-2008 04:41 AM - edited ‎03-06-2019 01:04 AM

Hi,

is it possible to prohibit communication via tcp port 1761 for several servers on a switch? I've never configured a vlan acl, so i have to act very careful in an productive serverfarm. Is it possible to configure a vlan acl on port level? It's undesired to configure an acl on the backbone router.

Tia,

Stephan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to stephan.sieger

‎08-29-2008 05:13 AM

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-29-2008 05:05 AM

VACLs are configured as a VLAN access map, in much the same format as a route map. A VLAN

access map consists of one or more statements, each having a common map name

A VACL can either drop a matching packet, forward it, or redirect it to another interface. The

TCAM performs the entire VACL match and action, as packets are switched or bridged within

a VLAN, or routed into or out of a VLAN.

Finally, you must apply the VACL to a VLAN using the following global configuration

command:

Switch(config)# vlan filter map-name vlan-list vlan-list

For example, suppose that you need to filter traffic within VLAN 99 so that host 192.168.99.17

is not allowed to contact any other host on its local subnet. Access list local-17 is created to

identify traffic between this host and anything else on its local subnet. Then a VLAN access

map is defined: If the local-17 access list permits the IP address, the packet is dropped;

otherwise, the packet is forwarded

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255

Switch(config-acl)# exit

Switch(config)# vlan access-map block-17 10

Switch(config-access-map)# match ip address local-17

Switch(config-access-map)# action drop

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter block-17 vlan-list 99

in ur case make it like

Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit tcp host 192.168.99.17 192.168.99.0 0.0.0.255 eq 1761

and so the same idea for any source distination and port

good luck

if helpful Rate

0 Helpful

Go to solution
stephan.sieger
Level 1
Level 1
In response to Marwan ALshawi

‎08-29-2008 05:11 AM

That means that the entire vlan is affected by the vacl. It's not possible to put it only on one single L2 port i guess. That's not a good solution..:-)

Thanks,

Stephan

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to stephan.sieger

‎08-29-2008 05:13 AM

but if u make the source a spicific host only that host in that VLAN will be effected not other hosts

so it works for ur case

0 Helpful

Go to solution
stephan.sieger
Level 1
Level 1
In response to Marwan ALshawi

‎08-29-2008 05:22 AM

Yes, you're right! Sometimes life ist so easy, thanks!

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to stephan.sieger

‎08-29-2008 05:24 AM

by the way dont forget this line in the end i mmean after the deny statments in the VACL

Switch(config-access-map)# vlan access-map block-17 20

Switch(config-access-map)# action forward

this one will permit all other traffic

if u dont put it everthing will be denied unless u permit it

please, if helpful Rate

and good luck :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card