Hi,
To create a VLAN-based ACL, an access list needs to be created just the way it is created for a port-based ACL (PACL). For example the following access list named TESTVACL, will block all IP packets from host 192.168.2.10 to host 192.168.2.50, while allowing all other traffic:
Aruba(config)# ip access-list extended TESTVACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.2.50
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
Suppose that both source and destination IP addresses in the ACL above are in VLAN 2 (192.168.2.0/24). Then the ACL TESTRACL can be applied to the VLAN 2 interface this way:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL vlan
Aruba(vlan-2)# exit
Notice the keyword vlan at the end of the ip access-group command. This keyword has to be used when both source and destination IP addresses belong to the same VLAN. In this case, the ACL is called a VLAN ACL, or VACL. If, instead of the keyword vlan, the keyword in is used like below:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL in
Aruba(vlan-2)# exit
Then the ACL will not filter out anything and host 192.168.2.10 can still talk to host 192.168.2.50.
The keywords in and out only work when the source and destination IP addresses belong to different VLANs. In this case the ACL is called a Routed IP ACL (RACL). Consider the example below:
Aruba(config)# ip access-list extended TESTRACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.3.150
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
In this case the source host is in VLAN 2 (192.168.2.0/24) while the destination host is in VLAN 3 (192.168.3.0/24). We can apply this ACL as follows:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTRACL in
Aruba(vlan-2)# exit
I am an HPE employee
