VACL

Overview

A VACL, which is something like route map, provides the ability to drop or forward the frames based on a predefined rules.

Configuration

Configuration
Switch(config)# vlan access-map map-name [sequence-number]
Switch(config-access-map)# match ip address {acl-number | acl-name}
Switch(config-access-map)# match mac address acl-name
Switch(config-access-map)# action {drop | forward [capture] | redirect type  mod/num}
Switch(config-access-map)# vlan filter map-name vlan-list vlan-list

Example

Block host 192.168.99.17 from accessing 192.168.99.0/24 in vlan 99.

Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
Switch(config-acl)# exit
Switch(config)# vlan access-map block-17 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map block-17 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter block-17 vlan-list 99