On Cisco IOS, ACLs can be applied in many different types of interfaces. The most commonly used is a Layer 3 interface. This includes physical, logical, or VLAN SVI interfaces that you can assign an IP to. ACLs can be applied both in and out directions. However, one may not know that you can also apply ACLs on Layer 2 switch port interfaces – VLAN ACLs. The only restriction is that you can only apply them in the inbound direction. So what if the traffic you want to restrict is only located within a VLAN? i.e you want to govern traffic between hosts with in a same VLAN? The solution is to use VLAN access maps.
Here is an example: Say you want to permit only SSH traffic for a given VLAN 10
First define the access-list that selects SSH traffic only.
ip access-list extended SSH_ONLY permit tcp any any eq 22
Then define an access-list to use for dropping all other traffic
ip access-list extended DROP_ACL permit ip any any
Create a VLAN access map that allows only SSH traffic and drops all else:
vlan access-map VLAN10MAP 10 action forward match ip address SSH_ONLY vlan access-map VLAN10MAP 20 action drop match ip address DROP_ACL
Note here that the number that follows after the map name (in this case 10) could be any number as it just a precedence/line number value for that particular access-map. Also a matching ACL for the drop action MUST be placed. Otherwise it will drop all traffic.
Then apply the access map to the vlan:
vlan filter VLAN10MAP vlan-list 10
Like regular ACLs, you only apply one VLAN access map per VLAN. Also since you cannot specify a direction like a physical or logical port. If you want to restrict directional traffic, you will need to incorporate that within the ACL.
