Isolating Hosts at layer 2 using VACLs

I received a help ticket from some of the server guys I work with requesting that their new production servers would not be able to talk with the old production servers.  Problem is they are both within the same VLAN.  So my original though was easy PVLANs.  I go to look at the list of the servers and theres a dozen servers that are not allowed to talk with each other.  Then I notice its a reaalllly big subnet /18 and theres a few hundred servers on this vlan.  So if I isolate or even break it down into two different communites these dozen or so servers will be isolated from each other…. and everyone else.  So I had to create a way to make them only isolate from each other… here is a simplistic view of our topology.

So server is NOT allowed to talk to or 192.168.3.. but both servers .2 and .3 need to talk with  PVLANs would not work due to if I put .2 and .3 in their own community .6 would not be allowed to talk with them.  Regular access lists will not work since they are on the same subnet.  So VACLs are my only option.

Start by first creating a filter for each server.

ip access-list extended blockserver7
permit ip host host
permit ip host host

Next start the VACL-map this is similar to a route-map.

Vlan access-map vacl
action drop
match ip address blockserver7
vlan access-map vacl
action forward

I am only applying this on one switch where .1 and .2 are located.  It is not needed on both switches.

Now where the magic happens apply the VACL to a vlan filter.
vlan filter vacl vlan-list 19

Now anything on vlan 19 on the switch where .2 and .3 are located are not allowed to talk with .7.  If each wanted to talk with .6 it would be permitted as there is a forward action allowing all other traffic on that vlan.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: