How do you prevent intravlan communication?
If you wanted to prevent InterVlan communications, you would create a RACL and
apply it to the L3 interface. But when you want to prevent IntraVlan
communications, you will need to a VACL. I will demonstrate how to create a
VACL and apply it. Additionally, how you can also filter down to the mac
address of a host rather than the ip address.
We will use figure 1 to visualize
the configuration and once done we will have completed the following actions.
1.
Prevent PC1 from talking to PC2
2.
Prevent PC1 from talking to PC3
3.
Allow all other communication between hosts
4.
Apply VACL to Vlan 100
Figure 1 |
Configuration:
access-list 100 permit ip host 192.168.100.1 host 192.168.100.2
!
mac access-list extended macfilter
permit host 4055.39a8.101f host 4055.39a8.103f
!
vlan access-map Vlan_100_Filter 10
action drop
match ip address 100
!
vlan access-map Vlan_100_Filter 20
action drop
match mac address macfilter
!
vlan access-map Vlan_100_Filter 30
action forward
!
vlan filter Vlan_100_Filter vlan-list 100
Verification:
Cisco_4948E_01#show vlan filter
VLAN Map Vlan_100_Filter is filtering VLANs:
100
Cisco_4948E_01#show vlan access-map Vlan_100_Filter
Vlan access-map "Vlan_100_Filter" 10
Match clauses:
ip address: 100
Action:
drop
Vlan access-map "Vlan_100_Filter" 20
Match clauses:
mac address: macfilter
Action:
drop
Vlan access-map "Vlan_100_Filter" 30
Match clauses:
Action:
forward
Cisco_4948E_01#show ip access-lists 100
Extended IP access list 100
10 permit ip host 192.168.100.1 host 192.168.100.2
Cisco_4948E_01#show access-list macfilter
Extended MAC access list macfilter
permit host 4055.39a8.101f host 4055.39a8.103f
I could of just filtered based on the ip addresses of the host rather than creating a mac acl but I wanted to demonstrate the feature. I have not seen it widely deployed.
No comments:
Post a Comment