I received a help ticket from some of the server guys I work with requesting that their new production servers would not be able to talk with the old production servers. Problem is they are both within the same VLAN. So my original though was easy PVLANs. I go to look at the list of the servers and theres a dozen servers that are not allowed to talk with each other. Then I notice its a reaalllly big subnet /18 and theres a few hundred servers on this vlan. So if I isolate or even break it down into two different communites these dozen or so servers will be isolated from each other…. and everyone else. So I had to create a way to make them only isolate from each other… here is a simplistic view of our topology.
So server 192.168.1.7 is NOT allowed to talk to 192.168.1.2 or 192.168.3.. but both servers .2 and .3 need to talk with 192.168.1.6. PVLANs would not work due to if I put .2 and .3 in their own community .6 would not be allowed to talk with them. Regular access lists will not work since they are on the same subnet. So VACLs are my only option.
Start by first creating a filter for each server.
ip access-list extended blockserver7
permit ip host 192.168.1.2 host 192.168.1.7
permit ip host 192.168.1.3 host 192.168.1.7
Next start the VACL-map this is similar to a route-map.
Vlan access-map vacl
action drop
match ip address blockserver7
vlan access-map vacl
action forward
exit
I am only applying this on one switch where .1 and .2 are located. It is not needed on both switches.
Now where the magic happens apply the VACL to a vlan filter.
vlan filter vacl vlan-list 19
Now anything on vlan 19 on the switch where .2 and .3 are located are not allowed to talk with .7. If each wanted to talk with .6 it would be permitted as there is a forward action allowing all other traffic on that vlan.
Danielhertzberg's Blog 