Product guide
10-18
Access Control Lists (ACLs)
Overview
VACL Applications
VACLs filter any IP traffic entering the switch on a VLAN configured with the
“VLAN” ACL option.
vlan < vid > ip access-group < identifier > vlan
For example, in figure 10-2, you would assign a VACL to VLAN 2 to filter all
inbound switched or routed IP traffic received from clients on the 10.28.20.0
network. In this instance, routed IP traffic received on VLAN 2 from VLANs 1
or 3 would not be filtered by the VACL on VLAN 2.
Figure 10-2. Example of VACL Filter Applications on IP Traffic Entering the Switch
Note The switch allows one VACL assignment configured per VLAN. This is in
addition to any other ACL applications assigned to the VLAN or to ports in the
VLAN.
VLAN 1
10.28.10.1
(One Subnet)
VLAN 2 with VACL
(One Subnet)
10.28.20.1
VLAN 3
(Multiple Subnets)
10 .28 .40.1 10. 28. 30. 1
Switch with IP Routing
Enabled
10.28.10.5
10.28.20.99
10.28.30.33
The subnet mask for this
example is 255.255.255.0.
Configuring a VACL on VLAN
2 filters the inbound IP traffic
from clients B and, C for all
switched and routed
destinations on all VLANs on
the switch. IP traffic routed
from VLANs 1 and 3 to VLAN
2 is not filtered by the VACL
on VLAN 2 because the
configured VACL applies
only to IP traffic entering the
switch on VLAN 2 (and not
from IP traffic routed from
other VLANs configured on
the switch.)
10.28.40.22
A
D
C
E
10.28.20.88
B