CCNP SWITCH: VLAN Access Control Lists (VACL)

VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).

In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.

VACL Configuration

Define IP access list to identify ‘permit’ the source, destination and port(s)

3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp eq 3389
3560-1(config-ext-nacl)# permit tcp eq 80
3560-1(config-ext-nacl)# exit

Create a VLAN access-map, drop all traffic that matches the previously created IP access list (ACL-VLAN-10). If traffic is not matched the next sequence ‘forward’ will allow all other traffic.

3560-1(config-access-map)# vlan access-map VACL-VLAN-10 10
3560-1(config-access-map)# action drop
3560-1(config-access-map)# match ip address ACL-VLAN-10
3560-1(config-access-map)# vlan access-map VACL-VLAN-10 20
3560-1(config-access-map)# action forward
3560-1(config-access-map)# exit

VACL is applied to vlan 10

3560-1(config)# vlan filter VACL-VLAN-10 vlan-list 10


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s