VACL - VLAN Access-List

Cisco Sep 6, 2025

Access list to block traffic within the same VLAN.

Block by Layer 3 IP addresses

vlan access-map DENY_TRAFFIC 20
  action drop
  match ip address 101
	
access-list 101 permit ip host 192.168.2.2 host 192.168.2.3

vlan filter DENY_TRAFFIC vlan-list 200

Block by Layer 2 MAC addresses

vlan access-map DENY_MAC 20
  action drop
  match mac address INVAILD_MAC
	
mac access-list extended INVAILD_MAC
  permit host 00e0.1e58.598a host 00e1.6543.1234
	
vlan filter DENY_MAC vlan-list 200

Protected ports

Protected ports can not access any other protected port, but can access all other ports in the same VLAN.

Can also block unknown unicast to prevent the switch from forwarding a frame with a MAC address not in the address table to the protected port.

int fa 0/5
  switchport protected
  switchport block unicast
int fa 0/6
  switchport protected
	
show interfaces fa0/5 switchport

Recommended for you

Cisco

MGCP - Media Gateway Control Protocol

6 days ago • 1 min read

Cisco

SIP - Session Initiation Protocol

6 days ago • 1 min read

Cisco

RTP - Real-Time Transport Protocol

6 days ago • 1 min read

VACL - VLAN Access-List

MGCP - Media Gateway Control Protocol

SIP - Session Initiation Protocol

RTP - Real-Time Transport Protocol

VACL - VLAN Access-List

Block by Layer 3 IP addresses

Block by Layer 2 MAC addresses

Protected ports

Tags

Craig Garnham

Recommended for you

MGCP - Media Gateway Control Protocol

SIP - Session Initiation Protocol

RTP - Real-Time Transport Protocol