Cisco VLAN ACL using VLAN access maps

On Cisco IOS, ACLs can be applied in many different types of interfaces. The most commonly used is a Layer 3 interface. This includes physical, logical, or VLAN SVI interfaces that you can assign an IP to. ACLs can be applied both in and out directions. However, one may not know that you can also apply ACLs on Layer 2 switch port interfaces – VLAN ACLs. The only restriction is that you can only apply them in the inbound direction. So what if the traffic you want to restrict is only located within a VLAN? i.e you want to govern traffic between hosts with in a same VLAN? The solution is to use VLAN access maps.

Here is an example: Say you want to permit only SSH traffic for a given VLAN 10

First define the access-list that selects SSH traffic only.

ip access-list extended SSH_ONLY
permit tcp any any eq 22

Then define an access-list to use for dropping all other traffic

ip access-list extended DROP_ACL
permit ip any any

Create a VLAN access map that allows only SSH traffic and drops all else:

vlan access-map VLAN10MAP 10
action forward
match ip address SSH_ONLY
vlan access-map VLAN10MAP 20
action drop
match ip address DROP_ACL

Note here that the number that follows after the map name (in this case 10) could be any number as it just a precedence/line number value for that particular access-map. Also a matching ACL for the drop action MUST be placed. Otherwise it will drop all traffic.

Then apply the access map to the vlan:

vlan filter VLAN10MAP vlan-list 10

Like regular ACLs, you only apply one VLAN access map per VLAN. Also since you cannot specify a direction like a physical or logical port. If you want to restrict directional traffic, you will need to incorporate that within the ACL.

Related Posts with Thumbnails