Categories
CCNP Enterprise Core (350-401) Cisco Security

VLAN Access Control List (VACL)

A VACL can filter traffic bridged within a VLAN or routed in and out of a VLAN.

! Block ICMP
ip access-list extended ICMP
 deny icmp any any

! Forward everything else
ip access-list extended OTHER
 permit ip any any

! Construct the access map
vlan access-map VACL_10 10
 match ip address ICMP
 action drop
vlan access-map VACL_10 20
 match ip address OTHER 
 action forward

! Apply VLAN filter
vlan filter VACL_10 vlan-list 10

To create and apply a VLAN map:

Define a VLAN access map using the command vlan access-map <name> <sequence>

Configure the match statement using the command match ip address <acl-number/name>

Configure the action to take with the command action followed by forward, drop, or log

Activate the VACL with the command vlan filter <access-map> vlan-list <vlans>

When crafting an access control list be used with a vlan access-map, only use permit statements. This is because the access control lists are only used as a matching criteria for the match statements and do not actually take any action on the packet being evaluated.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.