VLAN Access-List (VACL)

Hi Jie,

Private VLANs allow you to restrict traffic between VLANs or when you use the isolated VLAN, it prevents hosts within the VLAN from communicating with each other (similar to the protected port).

The VLAN access-list allows you to filter specific traffic within a VLAN.


Rene, Do you have a lesson on Port ACLs (PACL)?

Hi Jason,

Not yet but let me show you something here. a Port ACL is a standard, excended or MAC access-list that is applied to a L2 switchport. For example:

Switch(config)#ip access-list extended PERMIT_EVERYTHING
Switch(config-ext-nacl)#permit ip any any

Switch(config)#interface GigabitEthernet 0/1
Switch(config-if)#ip access-group PERMIT_EVERYTHING in

Or if you want to filter MAC addresses:

Switch(config)#mac access-list extended SOURCE_MAC
Switch(config-ext-macl)#permit host fa16.3e0d.b11f any

Switch(config)#interface GigabitEthernet 0/2
Switch(config-if)#mac access-group SOURCE_MAC in


If we want to drop Computer A and B from accessing the server…. I get that we create a permit acl (100) and anything that matches it is dropped with the VACL 10…. But what is the point to VACL 20? With the way VACL 10 is written… not only will computer A and B be dropped… but computer C, computer D, computer E, etc etc will be dropped as well. Why do we have to have a forward all other traffic list? Theres nothing to forward because all source IPs wanting to reach the server will be dropped……why do you have to follow it up VACL 20?

Lets say there was also a computer C and a computer D etc etc…… And we want computer C and computer D etc to reach the server. We only want computer A and B to be denied (droped) as you have shown…

I think I understand the access list 100 is what matches us to the server… and the “action drop” will drop computer A and B from accessing the server…. But what about the access-list 100 or the match statement defines just computer A and B? How do you differentiate between Computer A &B… and the rest?

Hi Jason,

Let’s look at the VACL:

SwitchA(config)#access-list 100 permit ip any host

SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward

Thanks to statement 10, all traffic with destination will be dropped. This includes any device in the subnet. So far so good.

If you don’t add statement 20 then ALL traffic will be dropped. For example, when tries to reach, it would be dropped. That’s why we added statement 20.

If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where it’s not allowed and use access-lists on the SVI interfaces instead.


ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when tries to reach, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach (the server) – DROP IT. That being the case…. Why would to be able to reach I don’t see how all traffic is dropped when we are so specific with the creation of the ACL

Hi Jason,

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.


Can you explain me wat is VLAN access Map

Hello Akhil

A VLAN Access Map is a data structure used in the application of VACLs. Specifically, it matches specific criteria and defines an action to take. An example is the following

Router(config)# vlan access-map thor 10
Router(config-access-map)# match ip address net_10
Router(config-access-map)# action forward
Router(config-access-map)# exit

Once the VLAN access map is created it does nothing. It is not in effect until it has been applied to specific VLANs. This can be done with the following command for example:

Router(config)# vlan filter thor vlan-list 12-16

This command takes the VLAN access map and applies it to VLANs 12 to 16.

I hope this has been helpful!


Hi, my topology is two routers with L2 switch in the middle.

I applied your method for blocking IPv6 on switch with hope, that IPv6 client wont get the IPv6 address from IPv6 server, because IPv6 should be blocked, but R3 got it anyway.


Hmm you used the same config as mine? What switch and IOS version did you use?

I removed my first question as I glossed over something that was stated that explained my questions.

it has to do with the why no Match on the 20 sequence. however I then saw this:

• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.
As a result all traffic from any host to destination IP address will be dropped, everything else will be forwarded.

which is actually pretty interesting

**also second question.**

access-list makes devices work harder correct? meaning more CPU work? so having a lot can be a bad thing from design principle if not careful. meaning we want to stay away from them unless we have to have, and would that be same for VACL?

I read about that in a QoS post you had talking about classification and markings and how markings are better because classification which was ACL can make the devices work harder.

The reason that we use marking is that sometimes classification requires some complex access-lists / rules and can degrade performance on the router or switch that is doing classification. In the example above, the router receives marked packets so it doesn’t have to do complex classification using access-lists like the switch. It will still do classification but only has to look for marked packets.

Half way down page: https://networklessons.com/quality-of-service/introduction-qos-quality-service/

Hello Brian

It is true that both an access list as well as a VACL will use up more resources (CPU memory etc) of a device. And yes, this is why marking can be used instead of classification to avoid using ACLs in order to improve resource usage. However, this is an alternative for a very specific situation, specifically QoS. VACLs filter traffic within a VLAN, something that cannot be done in another way. However, keep in mind that you would require hundreds of VACLs and lots of traffic in order to reach the point of saturating the resources of a device.

I hope this has been helpful!


1 Like

As always your answer is very helpful on this and the other post you have made to help explain. You have been really active on the forums of late helping out and its very appreciated!


Hi Rene,
I am trying to find out about Vxlan in all level like ccna,ccnp or ccie but not able to find out in your any lesson so do you have any own written document for Vxlan? I see some topic in google bt it’s not good actually my one of team mate wants to know about this but can’t help him and I am also interested to know about this…

So do you have any documents on this?

Thanks & Regards,

Hello Arindom

There are currently no VXLAN lessons in the Networklessons site, however, as you can see from the new lessons that are coming out below, Rene continually updates content and adds materials.

I suggest you go to the Member Ideas section and post a recommendation to add VXLAN as course content.

In the meantime, if @ReneMolenaar may have something more specific for you to take a look at.

I hope this has been helpful!


Lets say i have two switches (switch A, switch B , and a trunk between them) and vlan X exists on both switches and the trunk , and i create a VACL on switch A and filter against vlan X - (maybe blocking traffic between hosts in vlan X) - will devices on switch B be effected. For instance if host 1 and 2 are both in vlan X but both are connected directly to switch B will the VACL still somehow be applied, or does the VACL have to be applied to both switches separately ? Thanks!

Hello Edgar

A VACL is applied to a particular VLAN on a particular switch. Any and all traffic that traverses that VLAN on that particular switch will be acted upon. So in the scenario that you describe, if a VACL is created on switch A, it will only affect traffic traversing switch A on VLAN X. If there is traffic from a host on switch B to another host on switch B over VLAN X, this traffic will not be affected.

I hope this has been helpful!


Hi Rene,

My Switch didn’t support the VLAN ACLs. It didn’t support the commands:

show vlan filter
show vlan access-map 

IOS: L3 15.4.1T.

Please suggest kindly and thanks in advance.

Hi Binod,

What switch model / platform do you use?