Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6909
Views
0
Helpful
6
Replies

VLAN filtering

Go to solution
rehan_uet
Level 1
Level 1

‎04-15-2011 09:47 AM - edited ‎03-06-2019 04:38 PM

I wanted to stop communication between PC1 & PC2 where PC1 is in VLAN 10 and PC2 is in VLAN 20 and applied the following configuration

mac access list extended MAC_FILTER

permit host <mac of PC1> host <mac of PC2>

vlan access-map FILTER_MAP 10

match mac address MAC_FILTER

action drop

vlan access-map FILTER_MAP 20

action forward

and then applied this filter on vlan 10

vlan filter FILTER_MAP vlan-list 10

The communication between PC1 & PC2 does not stop with this configuration; what is wrong with this configuration.

This configuration was applied on Catalys 4500 with sup 6L-E and both PCs are connected directly to Cat 4500.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hugoramirez
Level 1
Level 1
In response to hugoramirez

‎04-15-2011 10:21 AM

try removing this

vlan access-map FILTER_MAP 20

action forward

by default if the traffic is not matched, it will fwd it,

let´s see what you get back

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Stefano Pilla
Level 1
Level 1

‎04-15-2011 10:16 AM

Hi,

have you tried Private VLANs?

With a Private VLAN the main VLAN (Primary) can be logically associated with special unidirectional, or secondary, VLAN. Host associated with a secondary VLAN can communicate with ports on the primary VLAN but none with another secondary VLAN. So need to confgure the two ports that you want to isolate in a private VLAN (secondary) and then configure the trunk port as primary...

You can find more info here: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#private_vlans

Hope this can help,

Stefano

0 Helpful

Go to solution
hugoramirez
Level 1
Level 1
In response to Stefano Pilla

‎04-15-2011 10:17 AM

No need of private vlans, with the vlan-maps you can achieve what you´re looking for, but it seems you´re missing something....

0 Helpful

Go to solution
hugoramirez
Level 1
Level 1
In response to hugoramirez

‎04-15-2011 10:21 AM

try removing this

vlan access-map FILTER_MAP 20

action forward

by default if the traffic is not matched, it will fwd it,

let´s see what you get back

0 Helpful

Go to solution
rehan_uet
Level 1
Level 1
In response to hugoramirez

‎04-15-2011 10:49 AM

I removed

vlan access-map FILTER_MAP 20

action forward

but communication could not be stopped.

0 Helpful

Go to solution
Not applicable
In response to rehan_uet

‎04-15-2011 01:58 PM

You had it right; you just applied the filter to the wrong VLAN

vlan filter FILTER_MAP vlan-list 10 (change to) vlan filter FILTER_MAP vlan-list 20

Look at your statements, "I wanted to stop communication between PC1 & PC2 where PC1 is in VLAN 10 and PC2 is in VLAN 20 and applied the following configuration."

You applied the filter to the source of the traffic; the destination does not reside in that VLAN.

Hope that helps.

0 Helpful

Go to solution
zhuotian1981
Level 1
Level 1
In response to hugoramirez

‎07-12-2013 01:13 AM

If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is to deny the packet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card