[c-nsp] Block traffic between users in the same vlan

[Sandon Bryant]

You should be able to do this with a VACL. I haven't really played with VACLs before, but I think a config like this should work for you.





1) Create ACL to permit communication with gateway, both ways.

 

ip access-list extended acl-gateway

permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1

permit ip host 192.168.1.1 192.168.1.0 0.0.0.255 

 

 

2) Create ACL to block sub-to-sub communication. A permit is used here, and a drop action is applied in the VACL.

 

ip access-list extended acl-subnet

permit ip host 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 

 

3) Create the VACL. Order is very important as the VACL will stop processing after the first match. Seeing acl-subnet will block traffic to and from the gateway, we want to make sure the we match and forward acl-gateway before we match/drop acl-subnet.

 

vlan access-map block-intrasubnet 10

match ip address acl-gateway

action forward

! match and forward communication to the gatway

 

vlan access-map block-intrasubnet 20

match ip address acl-subnet

action drop

! match and drop sub-to-sub chatter

 

vlan access-map block-intrasubnet 30

action forward

! forward all other traffic

 

4) Apply the VACL to the VLAN(s) of your choice. In this example, VLAN 21.

 

vlan filter block-intrasubnet vlan-list 21

 

 

I hope this works for you. It is untested, and if there are any errors in my logic or config here, please let me know... I'm still learning here....

 

Sandon