Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with some ACLs for VACL

I need some help with acls for a vacl. Goal - have the subnet only communicate with certain IP.

So, they cannot get out to anywhere else and no one except that IP can get in.

Here is what I have so far:

access-list acl1 permit tcp host

access-list acl1 permit tcp host

access-list acl1 ip any log

access-list acl1 ip deny any any log

vlan access-map vacl1 1

match ip address set acl1

action forward


vlan filter vacl1 vlan-list 11

Will this work as I expect it to?

Thanks for any help

  • Other Network Infrastructure Subjects

Re: Help with some ACLs for VACL

Looks okay, theoretically, vacl map would allow packets that the acl permits from host .4 from subnet 1.1.1.x and vise versa. I would be careful with log keyword, this would cause the packet be processed in software which would casue the cpu to spike.

Please rate helpful posts.

New Member

Re: Help with some ACLs for VACL


I implemented this on my 6509 and it didn't work. I even modified it to look like the following and it didn't work (I could RDP to one of the boxes on that the subnet).

ip access-list extended rapt_acl

deny ip any any

deny tcp any any

deny udp any any

vlan access-map rapt_vacl 10

match ip address set rapt_acl

action forward


vlan filter rapt_vacl vlan-list 90

Any thoughts what I may be missing?

Re: Help with some ACLs for VACL

yeah, the ACL does not permit anything at all. what are you trying to forward again?

New Member

Re: Help with some ACLs for VACL

I was testing the acl in the first post and it should have only allowed port 80 to the server and port 25 out. However, it did not work because I could still RDP to the box. So, I tested with deny any any and I still could rdp tothe box. I was expecting no access in or out with the deny.

Not sure what i am doing wrong or missing.