VLAN ACL (VACL)

Prerequisite – Virtual LAN (VLAN), Access-lists (ACL)
VLAN (Virtual LAN) is a concept in which we divide the broadcast domain into smaller broadcast domain logically at layer 2. If we create different VLANs then by default, a host from one VLAN can communicate with all the hosts residing in the same VLAN. If we want some hosts not able to reach other hosts within the same VLAN, then concept of VLAN Access-list or Private VLAN can be used. (Access-list, is a set of various permit or deny conditions, used for packet filtering)

VLAN ACL (VACL) –
VLAN ACL is used to filter traffic of a VLAN (traffic within a VLAN i.e traffic for destination host residing in same VLAN). All packets entering the VLAN are checked against the VACL.Unlike Router ACL, VACL is not defined in a direction but it is possible to filter traffic based on the direction of the traffic by combining VACLs and Private VLAN features.

Procedure –



  1. Define the standard or extended access list to be used in VACL –
    An access-list should be defined to identify the type of traffic and the hosts on which it is applied.

  2. Define a VLAN access map –
    A VLAN access-map is defined in which hosts IP address will be matched (using the access-list defined)

  3. Configure an action clause in a VLAN access map sequence –
    This will tell what action (forward or drop) should be taken on the traffic (defined in the VLAN access-map)

  4. Apply the VLAN access map to the specified VLANs –
    The last step in the configuration of VACL is to create filter list specifying, on which VLAN the access map has been applied.

  5. Display VLAN access map information –
    We can verify the information by using the command.

Configuration –

There is a switch named as switch1 which is connected to 3 routers named as Router1 (IP address-192.168.1.1/24), Router2 (IP address-192.168.1.2/24) and Router3 (IP address-192.168.1.3/24) as shown in the figure.
Configuring IP address on Router1.

Router1(config)#int fa0/0
Router1(config-if)#ip address 192.168.1.1 255.255.255.0
Router1(config-if)#no shut

Configuring IP address on Router2.

Router2(config)#int fa0/0
Router2(config-if)#ip address 192.168.1.2 255.255.255.0
Router2(config-if)#no shut

Configuring IP address on Router3.

Router3(config)#int fa0/0
Router3(config-if)#ip address 192.168.1.3 255.255.255.0
Router3(config-if)#no shut

In this task, we will deny traffic from Router1 to Router3 using VACL.
Configuring access-list on switch1 stating that all IP traffic should be allowed from host 192.168.1.1 to 192.168.1.3


switch1(config)#ip access-list extended My_access_list
switch1(config-ext-nacl)#permit ip host 192.168.1.1 host 192.168.1.3 

Now, configuring VLAN access-map which states that match the IP address defined in access-list and take action of drop (which means traffic should not be allowed from 192.168.1.1 to 192.168.1.3).

switch1(config)#vlan access-map Mapping 10
switch1(config-access-map)#match ip address My_access_list
switch1(config-access-map)#action drop 
switch1(config-access-map)#exit

In the first command, 10 is the sequence number of access-map. If we not define any sequence number then it will automatically take 10 as sequence number.
Now, for the traffic from Router1 (192.168.1.1) to Router3 (192.168.1.3), the traffic will be dropped but what about the traffic from Router2 to Router3?
The traffic from Router2 to Router3 will also get drop because no action is defined for this traffic (implicit deny). Therefore, we have to define anotger rule stating that the other traffic should be allowed.

switch1(config)#vlan access-map Mapping 20
switch1(config-access-map)#action forward 
switch1(config-access-map)#exit

In the first command, 20 is the sequence number which means this rule will be checked after the first rule having sequence number 10.
At last, we will assign this access-map, named as My_access_list, to a VLAN (here VLAN 1)

switch1(config)#vlan filter Mapping vlan-list 1

To verify the configuration, use the command.

switch1#show vlan access-map

This command will display the access-map. This will display the name of the access-map, sequence number of the rule and the access-list name (that have been used).

switch1#show vlan filter

This will display the VLANs which are filtered by vlan access-map.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.