vlan map ACL

Unanswered Question
Jun 21st, 2008

Hello friends

i have question about vlan map ACL

we have around 54 vlan

vlan1 for management

vlan10 for servers

we want to allow all users

to see vlan 1 & 10

and deny them to see each other

i done sample testing configuration


ip access-list extended Allow-VLAN10&1

permit ip any

permit ip any

permit ip any

permit ip any

deny ip any any

vlan access-map AllowTrafficMap 10

match ip address Allow-VLAN10&1

action forward

vlan filter AllowTrafficMap vlan-list 49


if i applid vlan 49 cannot browsing

internet , we have Catalyst 4000 L3 Switch

please suggest me for the best solution


Best Regards,,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sat, 06/21/2008 - 08:47

Simpler approach

access-list 10 deny [Vlan1]

access-list 10 permit any

access-list 1 deny [Vlan10]

access-list 1 permit any

interface Vlan 10

ip access-group 10 in

interface Vlan 1

ip access-group 1 in




Please rate helpful posts

motaibi-9 Sat, 06/21/2008 - 11:43

what you type man it standard ACL

and what i talk about it vlan map ACL

so it different and i want be vlan 1 & 10

all the users see him , do you get my idea

nathancielieska Sat, 06/21/2008 - 17:46


If i am reading this right, within each vlan you would like users from vlan 1 and vlan 10 to communicate with anyone in remaining vlans (for example 5,7,15... whatever number).

So in your above configuration.. this is what you are allowing within each vlan (in this example vlan 49):

10.64.10.x can do and see anyone

10.64.1.x can do and see anyone

everyone destined to everything else is dropped. Your deny ip any any at the end does nothing.. VACL's are like route-maps and a deny just means that there isn't a match on that particular Access-map statement. When that happens there is no VACL permit 20 with action forward so it denies the traffic. It basically could be removed.

So with that logic, any traffic within that vlan (including internet) will be dropped.

Here is what i would do if you want to use VACL's. If you have Vlan SVI's that might be a better option with L3 access-lists if your looking for alternatives.

List out your current VLAN ip subnets and summarize if possible

Vlan 1 = Subnet 1

Vlan 2 = Subnet 2

ip access-list extended DROP

permit ip any

permit ip any

** exclude vlan/subnet 10 and 1

vlan access-map VACL permit 10

match ip address DROP

action drop

vlan access-map VACL permit 20

action forward

vlan filter VACL vlan-list 49

Do this for all vlans except for 10 and 1.

For 10 and 1

ip access-list ext VLAN10

permit ip any

permit ip any

ip access=list ext VLAN1

permit ip any

permit ip any any

vlan access-map VACL10 permit 10

match ip address VLAN1

action drop

vlan access-map VACL10 permit 20

action forward

vlan access-map VACL1 permit 10

match ip address VLAN10

action drop

vlan access-map VACL1 permit 20

action forward

vlan filter-list VACL10 vlan-list 10

vlan filter-list VACL1 vlan-list 1

Really might look at some Layer 3 acls as suggested before though




This Discussion