VLAN Access-List (VACL)

VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:

computers server vlan 10

Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:

SW1(config)#access-list 100 permit ip any host 192.168.1.100

First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

Next step is to create the VACL. Mine is called “NOT-TO-SERVER”.

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.

As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

526 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. wow, similar to route-map. awesome!

     

    i have a question, on the 1st sentence you said that we can prevent both computers from communicating with server by using “port security”. could you elaborate on how port-security will filter the traffic of computers going to server?

  2. seems like vacl is more flexible when comes with specific traffic requirements. Thanks Rene

  3. ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
    “If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
    Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able t

    ... Continue reading in our forum

  4. As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!

  5. Hello Arindom

    There are currently no VXLAN lessons in the Networklessons site, however, as you can see from the new lessons that are coming out below, Rene continually updates content and adds materials.

    I suggest you go to the

    ... Continue reading in our forum

25 more replies! Ask a question or join the discussion by visiting our Community Forum