How to setup access list for a Cisco VLAN

We can use VLAN ACL (also called VLAN map) to provide packet filtering for all types of traffic that are bridged within a VLAN or routed into or out of the VLAN. Unlike Router ACL, VACL is not defined by a direction (input or output). When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against this VACL.

In order to configure and apply a VACL (VLAN access map), we define the standard or extended access list to be used in VACL.

access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 10.0.3.0 0.0.0.255 any
access-list 120 permit ip any any 

If your client PC is using DHCP to retrieve IP address, broadcast traffic from unconfigured DHCP clients must also be explicitly allowed, regardless of the source IP address. These requests for DHCP should not be filtered. As unconfigured clients may use 0.0.0.0 as an address, or part of the auto-assigned 169.254.0.0/16 block (or any other address), so

access-list 100 permit udp any eq bootpc any eq bootps

Define a VLAN access map after that. Each VLAN access map can consist of one or more map sequences, each sequence with a match clause and an action clause. The match clause specifies IP for traffic filtering. The action clause specifies the action to be taken when a match occurs.

vlan access-map mymap 10
match ip address 100
action drop

vlan access-map mymap 20
match ip address 120
action forward

Apply the VLAN access map to the specified VLANs. In the following case, we apply this VLAN access map to the default VLAN, which is VLAN 1.

vlan filter mymap vlan-list 1