Filtering traffic with vlan access list



Lab setup

  1. Linux 2 belongs to vlan 10. Linux 3 and 4 belong to vlan 20.
  2. Router is the dhcp server for vlan 10 and 20.
  3. A default route goes from Router to the internet where the web application DVWA resides.
  4. VLAN 10 subnet and VLAN 20 subnet

Damn Vulnerable Web Application (DVWA)

The web app is accessed from Linux 2 which belongs to vlan 10.


Lab objective

Use vlan access list to prevent hosts from vlan 20 from accessing DVWA.

Linux 3 –, Linux 4 –, Linux 2 –

Lab Configuration

    1. Define access list to block.
ip access-list extended block_vlan20_dvwa
 permit tcp host eq www

    1. Define access list to allow others.

ip access-list extended allowed-others
 permit ip any any
    1. Define vlan access-map

vlan access-map vacl20 10
 match ip address block_vlan20_dvwa
 action drop
vlan access-map vacl20 20
 match ip address allowed-others
 action forward

Line 10 is to drop traffic from vlan 20 subnet to DVWA. Line 20 is to allow the rest.

    1. Apply Vlan access-map to vlan 20

vlan filter vacl20 vlan-list 20

Vlan 10 can access DVWA, VLAN 20 however cannot.




One thought on “Filtering traffic with vlan access list

  1. Hi,

    It is good efforts but basically article will be more useful if it is expalin why we need and description or info about command


    Brijesh Patel

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s