VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:
Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.
I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:
SW1(config)#access-list 100 permit ip any host 192.168.1.100
First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!
SW1(config)#vlan access-map NOT-TO-SERVER 10 SW1(config-access-map)#match ip address 100 SW1(config-access-map)#action drop SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20 SW1(config-access-map)#action forward
Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.
• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.
SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10
Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…