VLAN Access Lists

VACL = Vlan Access Control List, Catalyst sw. dokáží pomocí VACL filtrovat provoz v rámci VLANy
Na rozdíl od klasického ACL se neaplikuje na interface, ale na VLANu jako celek

• Switch(config)# vlan access-map map-name [sequence-number]
• Switch(config-access-map)# match ip address {acl-number | acl-name}
• Switch(config-access-map)# match ipx address {acl-number | acl-name}
• Switch(config-access-map)# match mac address acl-name
• Switch(config-access-map)# action {drop | forward [capture] | redirect type mod/num}
• Switch(config)# vlan filter map-name vlan-list vlan-list

Příklad, host 192.168.99.17 nesmí kontaktovat nikoho v jeho subnetu a ve VLAN99:

Switch(config)# ip access-list extended local-17
Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
Switch(config-acl)# exit
Switch(config)# vlan access-map block-17 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map block-17 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter block-17 vlan-list 99