Access Lists on Switches
- Router ACL
- Port ACL
- VLAN ACL
- MAC ACL
Router ACL
Port ACL
VLAN ACL (VACL)
VACL on a Bridged Port
VACL on a Routed Port
- VACL for input VLAN
- Input IOS ACL
- Output IOS ACL
- VACL for output VLAN
Configuring VACL
- Define the standard or extended access list to be used in VACL.
- Define a VLAN access map.
- Configure a match clause in a VLAN access map sequence.
- Configure an action clause in a VLAN access map sequence.
- Apply the VLAN access map to the specified VLANs.
- Display VLAN access map information.
Example 4-6. VACL Configuration Example
Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Switch(config)#access-list 2 permit any Switch(config)#vlan access-map mymap 10 Switch(config-access-map)#match ip address 1 Switch(config-access-map)#action drop Switch(config-access-map)#exit Switch(config)#vlan access-map mymap 20 Switch(config-access-map)#match ip address 2 Switch(config-access-map)#action forward Switch(config-access-map)#exit Switch(config)# vlan filter mymap vlan-list 5-10 Switch(config-access-map)#end Switch# show vlan access-map Vlan access-map "mymap" 10 Match clauses: ip address: 1 Action: drop Vlan access-map "mymap" 20 Match clauses: ip address: 2 Action: Forward Switch# show vlan filter VLAN Map mymap is filtering VLANs: 5-10
MAC ACL
Example 4-7. MAC ACL Configuration Example
Switch(config)# mac access-list extended my-mac-acl Switch(config-ext-macl)# deny any any aarp Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# exit Switch(config)# interface Fastethernet0/10 Switch(config-if)# mac access-group my-mac-acl in Switch(config-if)# end