So....never knew about these little guys! Turns out that you cannot filter traffic from say a host on VLAN 1 to other hosts on VLAN 1 with a regular ACL. Because there is no "interface", you cannot apply an inbound or outbound ACL to permit or deny traffic. That is where VACL's come into play. They basically let you identify traffic, and create a filter that will permit or deny the traffic within the same VLAN. Here is the basic config:
**ALL IN GLOBAL CONFIGURATION MODE**
ip access-list extended 101 permit ip 192.168.20.0 0.0.0.3 192.168.20.0 0.0.0.255
vlan access-map [name] [sequence number]
match ip address 101
action [drop, forward]
vlan access-map [name] [sequence number]
action forward (this is like an explicit forward for VACL's)
**1 VACL per vlan
**reads from top to bottom just like a regular ACL
**They have an implicit deny...so add that final action forward if you want to forward additional traffic
No comments:
Post a Comment