acl to separate VLANs 3550

Dear all,

I have a problem understanding the acls applied to my 3550 L3-Switch SMI.

I want to separate different VLANs on the 3550 enabled for routing. VLAN 10 = VLAN 20 =

The Default Gateways are the L3 SVI interface and

If I apply below acl inbound to the SVI of VLAN20

ip access-group 120 in

I can still ping from 10 to 20 and vice versa.

I have added a similar acl for subnet/VLAN 10. Same effect.

If I apply it to in and out. Access is effectively blocked. ip access-group 120 in ip access-group 120 out

Why does it not already work if I apply it inbound only??

I already checked the TCAM usage which is reported to show problems with the 3550. There are still enough free and the switch is processing in hardware.

Thanks for your hints, Alex

int vlan 20 ip address ip access-group 120 in

ip access-list extended 120 remark --------------------------- remark Access to VLAN 20 remark allow DHCP permit udp any any eq bootpc permit udp any any eq bootpS remark - remark Access from the switch' L3 SVI, the Gateway itself permit ip any remark Access from those VLANs permit ip any exit

Reply to
Loading thread data ...

Not really sure why the IN and OUT breaks the traffic, but just IN does not work because your ACL is only either VLAN 10 or 20 to any destination. This means that when the SVI receives the packet INBOUND to the VLAN, it inspects for a source of VLAN 10 or 20, and obviously allows. When you apply to out, this is the SVI filtering traffic leaving the VLAN, and in this case (providing you are using the same ACL) it should work as the source in your tests is ALWAYS in VLAN 10 or 20 (from what you have said).

Overall, if you want to limit, you need to remember that your inbound and outbound statements should be opposite.

OUT (presuming you don't want a different ACL for each SVI that only allows that single network) ANY ANY

This would allow any traffic from inside the VLAN to a network that is listed. Traffic to any other place would go in the bit bucket.


This means that only traffic from one of those two networks would be allowed into the VLAN.

Overall, not sure what you are trying to accomplish here, as your title says separating vlans, and this is really opening the two to each other. If you want to separate, you deny outbound to a destination of and vice versa on the other interface.

Reply to
Trendkill Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.