VLAN Access-List (VACL)

VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:

computers server vlan 10

Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:

SW1(config)#access-list 100 permit ip any host

First step is to create an extended access-list. Traffic from any source to destination IP address should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.

As a result all traffic from any host to destination IP address will be dropped, everything else will be forwarded.

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

525 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene

  2. Hi Jason,

    Let’s look at the VACL:

    SwitchA(config)#access-list 100 permit ip any host

    SwitchA(config)#vlan access-map NOT-TO-SERVER 10
    SwitchA(config-access-map)#match ip address 100
    SwitchA(config-access-map)#action drop
    SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
    SwitchA(config-access-map)#action forward

    Thanks to statement 10, all traffic with destination will be dropped. This includes any device in the subnet. So far so good.

    If you don’t add statement 20 then ALL traffic will be dropped. For exampl

    ... Continue reading in our forum

  3. ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
    “If you don’t add statement 20 then ALL traffic will be dropped. For example, when tries to reach, it would be dropped. That’s why we added statement 20”
    Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach (the server) – DROP IT. That being the case…. Why would to be able t

    ... Continue reading in our forum

  4. As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!

  5. Hello Arindom

    There are currently no VXLAN lessons in the Networklessons site, however, as you can see from the new lessons that are coming out below, Rene continually updates content and adds materials.


    I suggest you go to the Member Ideas section and post a recommendation to add VXLAN as course content.


    In the meantime, if @ReneMolenaar may have something more specific for you to take a look at.

    I hope this has been helpful!


41 more replies! Ask a question or join the discussion by visiting our Community Forum