VLAN Access-List (VACL)

VLAN access lists (VACL) are very useful to filter traffic within the VLAN. Let me give you an example:

computers server vlan 10

Let’s say I want to make sure that the two computers cannot communicate with the server. You could use port-security to filter MAC addresses, but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First, we have to create an access-list:

SW1(config)#access-list 100 permit ip any host 192.168.1.100

The first step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it, though, use the permit statement! Now we can create a VLAN access map:

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

My  VLAN access map is called “NOT-TO-SERVER”. This is what it does:

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement, so everything will match. The action is to forward traffic.

As a result, all traffic from any host to the destination IP address 192.168.1.100 will be dropped, and everything else will be forwarded. Let’s enable it:

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

The last step is to apply the VACL to the VLANs you want. I use mine for VLAN 10. Let’s see if this works or not…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
560 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Hi, just getting ready for CCNP Switch .

    I was wondering how do you edit / update VACLs ?
    Do you need to use text editor like standard ?
    Reload switch ?

    Examples of changing requirements say add new server 192.168.1.101

  2. Hi Geoff,

    You can edit the access-list, no problem at all. I’m not 100% sure if it will be active right away or if you need to remove + add the VACL again before it is applied. If you want to know, I can try it and let you know the results.

    Rene

  3. Hi Rene,

    I was trying to use the VACL with mac access-list to prevent traffic from Computer A to Computer B. Both computer are connected directly to the Swtich A as follow,

    Switch A

    Computer A Computer B

    IP- 192.168.1.1 IP-192.168.1.2

    MAC - 0023.2343.5678 MAC- 0023.2343.5679

    *******************************************************************

    Configuration on Switch A,

    mac access-list extended test

    permit any host 0023.2343.5679

    vlan access-map test1 10

    match mac address test

    action drop

    vlan access-map test1 20

    act

    ... Continue reading in our forum

  4. wow, similar to route-map. awesome!

     

    i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?

  5. @Ronie I just did some testing and I’m also seeing strange results when using a mac access-list to filter MAC addresses. I used two routers and one 3560 switch. When I apply the vlan filter, the routers are still able to ping each other until I clear their ARP tables. Once I do that, they are unable to reach each other anymore since some of the ARP packets get filtered.

    I would expect all traffic that matches one of the MAC addresses to be filtered but for whatever reason, it’s acting weird.
    @Frades you can use port security to set a limit to the number of MAC

    ... Continue reading in our forum

59 more replies! Ask a question or join the discussion by visiting our Community Forum