A VACL can filter traffic bridged within a VLAN or routed in and out of a VLAN.
! Block ICMP ip access-list extended ICMP deny icmp any any ! Forward everything else ip access-list extended OTHER permit ip any any ! Construct the access map vlan access-map VACL_10 10 match ip address ICMP action drop vlan access-map VACL_10 20 match ip address OTHER action forward ! Apply VLAN filter vlan filter VACL_10 vlan-list 10
To create and apply a VLAN map:
Define a VLAN access map using the command
vlan access-map <name> <sequence>
Configure the match statement using the command
match ip address <acl-number/name>
Configure the action to take with the command
action followed by
Activate the VACL with the command
vlan filter <access-map> vlan-list <vlans>
When crafting an access control list be used with a vlan access-map, only use permit statements. This is because the access control lists are only used as a matching criteria for the match statements and do not actually take any action on the packet being evaluated.