VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:
Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.
I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:
SW1(config)#access-list 100 permit ip any host 192.168.1.100First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!
SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forwardNext step is to create the VACL. Mine is called “NOT-TO-SERVER”.
• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.
SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…
wow, similar to route-map. awesome!
i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?
seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene
ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
... Continue reading in our forum“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able t
As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!
Hello Arindom
There are currently no VXLAN lessons in the Networklessons site, however, as you can see from the new lessons that are coming out below, Rene continually updates content and adds materials.
https://networklessons.com/new-lessons/
I suggest you go to the Member Ideas section and post a recommendation to add VXLAN as course content.
https://networklessons.com/member-ideas/
In the meantime, if @ReneMolenaar may have something more specific for you to take a look at.
I hope this has been helpful!
Laz