VLAN access lists (VACL) are very useful to filter traffic within the VLAN. Let me give you an example:
Let’s say I want to make sure that the two computers cannot communicate with the server. You could use port-security to filter MAC addresses, but this isn’t a very safe method.
I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First, we have to create an access-list:
SW1(config)#access-list 100 permit ip any host 192.168.1.100
The first step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it, though, use the permit statement! Now we can create a VLAN access map:
SW1(config)#vlan access-map NOT-TO-SERVER 10 SW1(config-access-map)#match ip address 100 SW1(config-access-map)#action drop SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20 SW1(config-access-map)#action forward
My VLAN access map is called “NOT-TO-SERVER”. This is what it does:
• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement, so everything will match. The action is to forward traffic.
As a result, all traffic from any host to the destination IP address 192.168.1.100 will be dropped, and everything else will be forwarded. Let’s enable it:
SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10
The last step is to apply the VACL to the VLANs you want. I use mine for VLAN 10. Let’s see if this works or not…