Recently, I have been asked how to implement access control between VLANs on a Cisco switch. Generally, I will tell the other party how to apply the ACL to the virtual port of the corresponding VLAN on a layer-3 switch, in fact, I have no chance to practice it myself. Now we have a project that involves this demand. So we carefully studied how to implement access control between VLANs, and discovered the VLAN access control list (VACL) the access control list between VLANs is actually very different in implementation mode, although the two are similar literally.
We often say that the access control between VLANs is implemented by applying the ACL directly to the virtual port of the VLAN, which is the same as the ACL applied to the physical port. The VLAN access control (VACL), also known as the VLAN access ing table, is implemented in a different way than the former. It is applied to all communication streams in a VLAN. It supports Filtering Based on ETHERTYPE and MAC address to prevent unauthorized data streams from entering the VLAN. Currently, three VACL operations are supported: forward, drop, and redirect ).
VACL is rarely used. Pay attention to the following points during Configuration:
1) The last hiding rule is deny ip any, which is the same as ACL.
2) VACL is different from inbound and outbound.
3) if the ACL list contains permit and the VACL is drop, the data stream is dropped.
4) The VACL rules are applied before NAT.
5) One VACL can be used in multiple VLANs, but one VLAN can only be associated with one VACL.
6) The VACL is enabled only after the VLAN port is activated. Otherwise, the status is inactive.