04-15-2011 09:47 AM - edited 03-06-2019 04:38 PM
I wanted to stop communication between PC1 & PC2 where PC1 is in VLAN 10 and PC2 is in VLAN 20 and applied the following configuration
mac access list extended MAC_FILTER
permit host <mac of PC1> host <mac of PC2>
vlan access-map FILTER_MAP 10
match mac address MAC_FILTER
action drop
vlan access-map FILTER_MAP 20
action forward
and then applied this filter on vlan 10
vlan filter FILTER_MAP vlan-list 10
The communication between PC1 & PC2 does not stop with this configuration; what is wrong with this configuration.
This configuration was applied on Catalys 4500 with sup 6L-E and both PCs are connected directly to Cat 4500.
Solved! Go to Solution.
04-15-2011 10:21 AM
try removing this
vlan access-map FILTER_MAP 20
action forward
by default if the traffic is not matched, it will fwd it,
let´s see what you get back
04-15-2011 10:16 AM
Hi,
have you tried Private VLANs?
With a Private VLAN the main VLAN (Primary) can be logically associated with special unidirectional, or secondary, VLAN. Host associated with a secondary VLAN can communicate with ports on the primary VLAN but none with another secondary VLAN. So need to confgure the two ports that you want to isolate in a private VLAN (secondary) and then configure the trunk port as primary...
You can find more info here: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#private_vlans
Hope this can help,
Stefano
04-15-2011 10:17 AM
No need of private vlans, with the vlan-maps you can achieve what you´re looking for, but it seems you´re missing something....
04-15-2011 10:21 AM
try removing this
vlan access-map FILTER_MAP 20
action forward
by default if the traffic is not matched, it will fwd it,
let´s see what you get back
04-15-2011 10:49 AM
I removed
vlan access-map FILTER_MAP 20
action forward
but communication could not be stopped.
04-15-2011 01:58 PM
You had it right; you just applied the filter to the wrong VLAN
vlan filter FILTER_MAP vlan-list 10 (change to) vlan filter FILTER_MAP vlan-list 20
Look at your statements, "I wanted to stop communication between PC1 & PC2 where PC1 is in VLAN 10 and PC2 is in VLAN 20 and applied the following configuration."
You applied the filter to the source of the traffic; the destination does not reside in that VLAN.
Hope that helps.
07-12-2013 01:13 AM
If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is to deny the packet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: