VACL Working Config

Goal: Allow PC1 to talk with anything on the local LAN (10.12.14.0/24) but block PC1 from accessing the Internet. Only allow PC2 to access the Internet. Block everything else.

Note: 3750 layer-2 switch (ip routing disabled), running "c3750-ipservicesk9-mz.122-50.SE4.bin"

Note: For some reason, I had to use wildcard masks instead of "host" (it wasn't working, troubleshot, but gave up).


PC1: 10.12.14.134/24 (on port f1/0/5)

PC2: 10.12.14.133/24 (on port f1/0/7)

Internet Connection: (on port f1/0/9)

##############################################################
!
mac access-list extended permitARP
 permit any any 0x806 0x0
!
ip access-list extended LocalOnlyACL
 permit ip 10.12.14.0 0.0.0.255 10.12.14.0 0.0.0.255
!
ip access-list extended InternetOnlyACL
 permit ip 10.12.14.133 0.0.0.0 any
 permit ip any 10.12.14.133 0.0.0.0
!
!
vlan access-map myVACLMap 10
 action forward
 match ip address LocalOnlyACL   
!
vlan access-map myVACLMap 11
 action forward
 match ip address InternetOnlyACL 
!
vlan access-map myVACLMap 15
 action forward
 match mac address permitARP      
!
vlan access-map myVACLMap 20
 action drop                     
!
!
vlan filter 123 vlan-list 44
!
!
interface FastEthernet1/0/5
 switchport access vlan 44
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/7
 switchport access vlan 44
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/9
 switchport access vlan 44
 switchport mode access
 spanning-tree portfast
!
end
##############################################################