This post shows how to configure VACLs (Vlan access lists).

The following configuration denies UDP traffic which source IP address equals and destination IP address equals All other traffic is allowed. Every packet which comes from/into port on Vlan 1 (access/trunk) will be filtered accordingly to the configured rule.

win-xserw001#conf t
win-xserw001(config)# ip access-list extended 100
win-xserw001(config-ext-nacl)# 10 permit udp host host
win-xserw001(config)# end

win-xserw001#conf t
win-xserw001(config)# vlan access-map NO-101 10
win-xserw001(config-access-map)# match ip address 100
win-xserw001(config-access-map)# action drop
win-xserw001(config-access-map)# vlan access-map NO-101 20
win-xserw001(config-access-map)# action forward
win-xserw001(config-access-map)# end

win-xserw001# conf t
win-xserw001(config)# vlan filter NO-101 vlan-list 1

Notice that in this configuration the host can initiate traffic to (the will receive packet) but reply will be denied.


In this example both hosts belong to the same subnet (and also to the same Vlan). However you could configure the IP addresses from different subnet/vlans to filter traffic between these Vlans (in both directions).

Leave a Reply

Your email address will not be published. Required fields are marked *