Hi Buddy,

Greetings of the day.

Hope you are doing well.

Kindly find your answer below, Hope it will be informative for you.

VLAN ACL & ACL both are utterly different technologies.Let me explain.

=======================================================

ACL:- You apply an ACL to the SVI to control how traffic is routed b/w VLANs on an L3 switch. An ACL applied to an SVI does nothing to control the traffic on the VLAN itself. The VLAN will carry whatever traffic is passed to it, with not filtering happening until it's routed.

Example:

This would deny any TCP traffic from VLAN1 to VLAN2

interface vlan1

ip address 192.168.1.1 255.255.255.0

access-group 1 in

!

interface vlan2

ip address 192.168.2.1 255.255.255.0

access-list 1 deny tcp any 192.168.2.0 0.0.0.255

==============================================

VLAN ACL:- The VACL is applied to a VLAN to control traffic WITHIN a VLAN. Ordinarily, you can't stop Host1 from talking to Host2 if they're connected to the same switch in the same VLAN. If they were in seperate VLANs, you could apply an ACL to the SVI to do it, but on the same VLAN, there's no filtering. This is where the VACL comes into play. The VACL applies to traffic in the VLAN. You can use a regular access-list or a mac-address access-list for this.

Example:

This would deny traffic destined to port 80 on vlan 1

vlan access-map test1 10
action drop
match ip address 110

!

access-list 110 permit tcp any any eq 80

!

vlan filter test1 vlan 1

========================

Regards,

PS Pandey