Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
7
Replies

VLAN ACL

Khaleelur Rahman
Level 1
Level 1

‎12-05-2015 03:17 AM - edited ‎03-08-2019 02:58 AM

hi,

please let me know How to configure VLAN ACL (syntex)..?

Regards 

Khaleelur Rahman

Labels:
0 Helpful
7 Replies 7

jbowman1985
Level 1
Level 1

‎12-05-2015 06:48 AM

Hi Khaleelur,

There are two ways to configure VACLs: one using MAC access lists and the other using IP access lists.  One thing to remember MAC ACLs only work if the Ethertype field does not indicate IP or IPX.  

To configure an IP access list for a VACL you need to do the following:

1.  Configure and access list:

sw(config)# ip access-list standard 10

    permit 192.168.1.0 0.0.0.255

2. Create VLAN access map

sw(config#) vlan access-map access-map-name

sw(config-access-map)# match ip address 10 (acl-name from above)

sw(config-access-map)# action forward (this will forward traffic)

3.  Apply VLAN access map to VLAN

sw(config)# vlan filter access-map-name vlan-list 10,20,30 (Applies VACL to vlans 10,20 and 30)

Hope this helps!

0 Helpful

Khaleelur Rahman
Level 1
Level 1
In response to jbowman1985

‎12-05-2015 08:15 PM

Dear Jbowman,

please let me know how to implement this ACL to the specific Vlan interface.

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Khaleelur Rahman

‎12-05-2015 09:05 PM

Hello,

VLAN access-list is for controlling access within a VLAN.  ACL is different. ACL is applied to layer three interfaces.

As an example,

Access-list 101 [permit/deny] [IP/TCP/UDP/ICMP,....] [source][source port][destination][destinatio port]

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

interface vlan x

IP access-group 101 [in/out]

Let me know if you need an specific example.

Masoud

0 Helpful

Khaleelur Rahman
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-05-2015 11:01 PM

hello Masoud ,

please let me know the example.

Regards,

Khaleel

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to Khaleelur Rahman

‎12-06-2015 05:23 AM

Hello,

I am sorry, I was not clear. I meant I will give you an specific example if you give me a scenario. For example, give me the IP subnets or addresses you want to permit or deny.

Masoud

0 Helpful

jbowman1985
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-06-2015 05:38 AM

To reitterate what Masoud wrote:  VACL is applied to the VLAN and not a specific interface.  VACL also applies to ingress and egress (in and out) traffic on an interface that is a member of the VLAN you applied the VACL to.

Example:

You applied a VACL to VLAN 10.  Let's say interface Fa0/1 is an access port in VLAN 10 and Gi0/1 is a trunk interface with VLAN 10.  

The VACL would apply to both interfaces.

It can get a little confusing because you do create an IP access list for the VACL, however, the VACL is not applied directly to an interface like an IP access list.  Hope this helps.

0 Helpful

paul driver
VIP
VIP

‎12-06-2015 05:51 AM

Hello

VACLS - Restrict traffic ONLY WITHIN a specifc vlan  ------ Jbownam example

RACLS - Restrict traffic between vlans  - Masoud Pourshabanian example - 
IN -  ( from within the vlan)
OUT - (going into the vlan)


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents