VLAN ACLs

This post shows how to configure VACLs (Vlan access lists).

The following configuration denies UDP traffic which source IP address equals 10.0.0.101 and destination IP address equals 10.0.0.102. All other traffic is allowed. Every packet which comes from/into port on Vlan 1 (access/trunk) will be filtered accordingly to the configured rule.

win-xserw001#conf t
win-xserw001(config)# ip access-list extended 100
win-xserw001(config-ext-nacl)# 10 permit udp host 10.0.0.101 host 10.0.0.102
win-xserw001(config)# end

win-xserw001#conf t
win-xserw001(config)# vlan access-map NO-101 10
win-xserw001(config-access-map)# match ip address 100
win-xserw001(config-access-map)# action drop
win-xserw001(config-access-map)# vlan access-map NO-101 20
win-xserw001(config-access-map)# action forward
win-xserw001(config-access-map)# end

win-xserw001# conf t
win-xserw001(config)# vlan filter NO-101 vlan-list 1

Notice that in this configuration the host 10.0.0.101 can initiate traffic to 10.0.0.102 (the 10.0.0.2 will receive packet) but reply will be denied.

vacl-1

In this example both hosts belong to the same subnet (and also to the same Vlan). However you could configure the IP addresses from different subnet/vlans to filter traffic between these Vlans (in both directions).

Leave a Reply

Your email address will not be published. Required fields are marked *