10-16
IPv4 Access Control Lists (ACLs)
Overview
VACL Applications
VACLs filter any IPv4 traffic entering the switch on a VLAN configured with 
the “VLAN” ACL option.
vlan < vid > ip access-group < identifier > vlan
For example, in figure 10-2, you would assign a VACL to VLAN 2 to filter all 
inbound switched or routed IPv4 traffic received from clients on the 10.28.20.0 
network. In this instance, routed traffic received on VLAN 2 from VLANs 1 or 
3 would not be filtered by the VACL on VLAN 2. 
Figure 10-2. Example of VACL Filter Application to IPv4 Traffic Entering the Switch
Note The switch allows one VACL assignment configured per VLAN. This is in 
addition to any other ACL applications assigned to the VLAN or to ports in the 
VLAN.
Static Port ACL and RADIUS-Assigned ACL Applications
An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, 
regardless of whether the traffic is switched or routed.
VLAN 1
10.28.10.1
(One Subnet)
VLAN 2  with VACL
(One Subnet)
             10.28.20.1
 VLAN 3
(Multiple Subnets)
 10.28 .40. 1   10.28 .30. 1
 Switch with IPv4 Routing 
Enabled
10.28.10.5
10.28.20.99
10.28.30.33
The subnet mask for this 
example is 255.255.255.0.
Configuring a VACL on VLAN 
2 filters the inbound IPv4 
traffic from clients B and, C 
for all switched and routed 
destinations on all VLANs on 
the switch. Traffic routed 
from VLANs 1 and 3 to VLAN 
2 is not filtered by the VACL 
on VLAN 2 because the 
configured VACL applies 
only to IPv4 traffic entering 
the switch on VLAN 2 (and 
not from traffic routed from 
other VLANs configured on 
the switch.)
10.28.40.22
A
D
C
E
10.28.20.88
B