Topology
Lab setup
- Linux 2 belongs to vlan 10. Linux 3 and 4 belong to vlan 20.
- Router is the dhcp server for vlan 10 and 20.
- A default route goes from Router to the internet where the web application DVWA resides.
- VLAN 10 subnet 10.10.10.0/24 and VLAN 20 subnet 10.20.20.0/24.
Damn Vulnerable Web Application (DVWA)
The web app is accessed from Linux 2 which belongs to vlan 10.
Lab objective
Use vlan access list to prevent hosts from vlan 20 from accessing DVWA.
Linux 3 – 10.20.20.3, Linux 4 – 10.20.20.4, Linux 2 – 10.10.10.2
Lab Configuration
- Define access list to block.
ip access-list extended block_vlan20_dvwa
permit tcp 10.20.20.0 0.0.0.255 host 172.16.10.21 eq www
- Define access list to allow others.
ip access-list extended allowed-others
permit ip any any
- Define vlan access-map
vlan access-map vacl20 10
match ip address block_vlan20_dvwa
action drop
vlan access-map vacl20 20
match ip address allowed-others
action forward
Line 10 is to drop traffic from vlan 20 subnet to DVWA. Line 20 is to allow the rest.
- Apply Vlan access-map to vlan 20
vlan filter vacl20 vlan-list 20
Result
Vlan 10 can access DVWA, VLAN 20 however cannot.
cyruslab 
Hi,
It is good efforts but basically article will be more useful if it is expalin why we need and description or info about command
Thanks
Brijesh Patel