Internetworks: What is VLAN Access List? How to configure VACL?

MHM

I have configured ACLs to VLANs, but same-band L2 frames are not subject to ACLs.

share the config please

MHM

@MHM Cisco World 

The VACL you mentioned was worth a try.

I want to deny all networks on 144.0/24 and permit the 144.1 IP, which is the gateway.

I don’t know if my config is correct, but pinging to the gateway fails.
The match count for all ACLs on 144.1/32 and 144.0/24 is incremented.

access-list 101 permit ip any host 144.144.144.1
access-list 100 permit ip any 144.144.144.0 0.0.0.255
!
vlan access-map vacl 10
match ip address 101
action forward
!
vlan access-map vacl 20
match ip address 100
action drop
!
vlan access-map vacl 30
action forward
!
vlan filter vacl vlan-list 144

VPCS> ping 144.144.144.1

144.144.144.1 icmp_seq=1 timeout
144.144.144.1 icmp_seq=2 timeout
144.144.144.1 icmp_seq=3 timeout

BB#sh access-list

Extended IP access list 100
10 permit ip any 144.144.144.0 0.0.0.255 (23 matches)
Extended IP access list 101
10 permit ip any host 144.144.144.1 (23 matches)

try below 
vlan access-map vacl 10
match ip address 200 <<- where ACL200 permit traffic between two host 
action deny LOG
!
vlan access-map vacl 20
action forward

!
vlan filter vacl vlan-list 144

BB(config)#vlan access-map vacl 10
BB(config-access-map)# match ip address 200
% Invalid access list name.

where ACL200 permit traffic between two host ??

access-list 101 permit ip any host 144.144.144.1
access-list 100 permit ip any 144.144.144.0 0.0.0.255

I only want to permit gateway

access-list 200 permit ip host 144.144.144.10 host 144.144.144.20

use this ACL, and for GW since it not permit by 200 and action deny then it will permit 

MHM

access-list 199 permit ip host 144.144.144.10 host 144.144.144.20
!
vlan access-map vacl 10
 match ip address 199
 action drop log
!
vlan access-map vacl 20
 action forward
!
vlan filter vacl vlan-list 144

Since ACL number 200 is not available, I used 199.

The ping to the gateway was successful and the hosts blocked pinging each other.
But I want to block the entire 144.0/24 network.
I need some good ideas.

sorry for the ACL number 
NOW first issue solve deny traffic between the two host 
you need to block traffic between host and entire 144.144.144.0/24 
then 
ip access-list extended allow 
permit ip host 144.144.144.10 host 144.144.144.1 
permit ip host 144.144.144.20 host 144.144.144.1

action forward 

ip access-list ext P2P

permit ip host 144.144.144.10 144.144.144.0 0.0.0.255 
permit ip host 144.144.144.20 144.144.144.0 0.0.0.255 
action deny log 
lastly you need line 30 for other traffic 

goodluck friend 

MHM

ip access-list extended P2P
 permit ip host 144.144.144.10 144.144.144.0 0.0.0.255
 permit ip host 144.144.144.20 144.144.144.0 0.0.0.255
ip access-list extended allow
 permit ip host 144.144.144.10 host 144.144.144.1
 permit ip host 144.144.144.20 host 144.144.144.1
!
vlan access-map vacl 10
 match ip address allow
 action forward
!
vlan access-map vacl 20
 match ip address P2P
 action drop log
!
vlan filter vacl vlan-list 144

VPCS> show

NAME IP/MASK GATEWAY GATEWAY
VPCS1 144.144.144.10/24 144.144.144.1
fe80::250:79ff:fe66:6807/64

VPCS> ping 144.144.144.1

144.144.144.1 icmp_seq=1 timeout
144.144.144.1 icmp_seq=2 timeout

VPCS> ping 144.144.144.20

144.144.144.20 icmp_seq=1 timeout
144.144.144.20 icmp_seq=2 timeout

It cannot ping to 144.1.
Because 144.0/24 contains 144.1.
What do you think, is there a better way?

ip access-list extended P2P
 permit ip host 144.144.144.10 144.144.144.0 0.0.0.255
 permit ip host 144.144.144.20 144.144.144.0 0.0.0.255
ip access-list extended allow
 permit ip host 144.144.144.10 host 144.144.144.1
 permit ip host 144.144.144.20 host 144.144.144.1
 permit ip host 144.144.144.1 host 144.144.144.10
 permit ip host 144.144.144.1 host 144.144.144.20
!
vlan access-map vacl 10
 match ip address 10
 action forward
!
vlan access-map vacl 20
 match ip address P2P
 action drop log
!
vlan filter vacl vlan-list 144
!
*Dec 17 07:42:31.536: %VLMAPLOG-6-ICMP: vlan 144 (port Gi0/0) denied icmp 144.144.144.10 -> 144.144.144.20 (8/0), 1 packet

VPCS> show

NAME   IP/MASK              GATEWAY                             GATEWAY
VPCS1  144.144.144.10/24    144.144.144.1
       fe80::250:79ff:fe66:6807/64

VPCS> ping 144.144.144.1

84 bytes from 144.144.144.1 icmp_seq=1 ttl=255 time=7.801 ms
84 bytes from 144.144.144.1 icmp_seq=2 ttl=255 time=4.608 ms

VPCS> ping 144.144.144.20

144.144.144.20 icmp_seq=1 timeout
144.144.144.20 icmp_seq=2 timeout

NICE

Hello @MHM Cisco World @JustTakeTheFirstStep 

FYI - you do not need to permit the gateway, each host internal to the filtered vlan should still able to reach externally, i have posted an example above that should accommodate the OPs initial request