You are here: Home » Cisco » CCIE Routing & Switching

VLAN Access-List (VACL)

VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:

Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:

SW1(config)#access-list 100 permit ip any host 192.168.1.100

First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.

As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 644 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

463 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Previous Lesson
AAA Authentication on Cisco Switch

Next Lesson
DHCP Snooping

Tags: ACL, Security

Forum Replies

johnfrades says:

wow, similar to route-map. awesome!

i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?
riconorway says:

seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene
jmwalker24 says:

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able t
... Continue reading in our forum
ReneMolenaar says:

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

Rene
wilder7bc says:

As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!

23 more replies! Ask a question or join the discussion by visiting our Community Forum