Summary: This post gives a basic view on how to configure access lists on VLANs on Cisco switches.
Date: Around 2017
Refactor: 20 February 2025: Checked links and formatting.

This post gives a basic view on how to configure access lists on VLANs on Cisco switches and is created with nimnetwork in mind, the ports are defined as for this purpose.

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Vlan database
Vlan <vlan#> name <vlanname>
Exit

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip address x.x.x.x  x.x.x.x
No shutdown (activates the vlan)
Exit

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

show vlan

or

Show ip interface brief

Also, you can issue

show run

Or, when you're configuration levels lower:

do show run

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t  (Configuration Terminal)
Interface vlan <vlan#>
Ip access-group <access-list#> in
Ip access-group <access-list#> out
ip helper-address <ipaddressbootp/dhcpserver>

NOTE

in

This defines access control on packets transmitted from the host. These packets are received into the router interface.

out

This defines access control on packets being sent to the host. These packets are transmitted out of the router interface. The default is out.

Log into the vlan database switch (core switch) with level 15 access and issue these commands:

Conf t (Configuration Terminal)
Enter the access-list (from your favorite text editor)

show access-lists
show access-lists | include Extended

• NIM Server: 10.10.3.7
• NIM Client: 10.11.1.2 (VLAN 29)
• DNS Server: 10.10.10.100

vlan database
vlan 29 name nimnetworkvlan
exit
conf t
interface vlan 29
ip address 10.11.1.1 255.255.0.0
no shutdown
ip access-group 128 in
ip access-group 129 out
ip helper-address 10.10.3.7
exit
access-list 128 permit icmp any any
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.100 eq 53
access-list 128 permit tcp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.10.101 eq 53
access-list 128 permit udp host 10.11.1.2 host 10.10.3.7
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1058
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 1059
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 2049
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3901
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 3902
access-list 128 permit tcp host 10.11.1.2 host 10.10.3.7 eq 32774
access-list 128 permit tcp any any established
access-list 128 deny ip any any
access-list 129 permit icmp any any
access-list 129 permit udp host 10.10.10.100 host 10.11.1.2
access-list 129 permit udp host 10.10.10.101 host 10.11.1.2
access-list 129 permit ip host 10.1.3.7 host 10.11.1.2
access-list 129 permit tcp any any established
access-list 129 deny ip any any

We got these errors so that's why we opened udp:

list 128 denied udp 10.11.1.2(16799) -> 10.10.3.7(52186), 5 packets
list 128 denied udp 10.11.1.2(24412) -> 10.10.3.7(52187), 5 packets
list 128 denied udp 10.11.1.2(32024) -> 10.10.3.7(52188), 5 packets
list 128 denied tcp 10.11.1.2(32024) -> 10.10.3.7(32774), 5 packets

In order to find what packets are blocked change the deny line like this:

access-list 128 deny ip any any log
access-list 129 deny ip any any log

and issue this command on the switch console:

term mon

switch#vlan database
% Warning: It is recommended to configure VLAN from config mode,
  as VLAN database mode is being deprecated. Please consult user
  documentation for configuring VTP/VLAN in config mode.

switch(vlan)#
switch(vlan)#no vlan 216
Deleting VLAN 216...
switch(vlan)#exit
APPLY completed.
Exiting....