VLAN Access-List (VACL) | NetworkLessons.com

VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:

Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:

SW1(config)#access-list 100 permit ip any host 192.168.1.100

First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.

As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…

Forum Replies

wow, similar to route-map. awesome!

i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?

seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able t

... Continue reading in our forum

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

Rene

As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!

25 more replies! Ask a question or join the discussion by visiting our Community Forum