Filtering IPv4 traffic inbound on a VLAN

For a given VLAN interface on a switch configured for routing, you can assign an ACL as a VACL to filter inbound IPv4 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs.

Syntax:

Within the vlan context.


ip access-group <ACL> { vlan-in | vlan-out }
no ip access-group <ACL> { vlan-in | vlan-out }

where: <ACL> = either a ACL name or an ACL ID number.

Assigns an ACL as a VACL to a VLAN to filter routed IPv4 traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an VACL.

NOTE:

The switch allows you to assign a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned interface. Also, if you delete an assigned ACL from the switch without subsequently using the no form of this command to remove the assignment to an interface, the ACL assignment remains and will automatically activate any new ACL you create with the same identifier (name or number).

Methods for enabling and disabling VACLs