ACL restriction on switched network

Unanswered Question
Feb 20th, 2007

Hi gents,

Which type of ACL should i use to get some ip subnets in restricted L2(swithed) environments?

I cant use mac ACL, as i have a lot hosts.Can't use VLAN ACL either.There are

some restrictions.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo_Stobbe Wed, 02/21/2007 - 01:19

I have SwitchA connected to SwitchB.

They connected to each other through switched port (access port)vlan 20.

There are a some servers in Vlan20 connected to SwitchB

SWitchB has the route to ISP.

SwitchA- Interface Vlan 20

ip address

default gateway -

SwitchB - Interface Vlan 20

IP address

default gateway - Internet Gateway

SwitchA has vlan16 -

Hosts from this subnet access the internet through SwithB and then SwithA.(and also can see servers in vlan 20)

SwitchB- doesn't have vlan 16

It has has onlu back route to that subnet.

How can i restrict access to servers?

Outbound ACL on interface Vlan20 SWitchB?


Leo_Stobbe Wed, 02/21/2007 - 01:21


Hosts from this subnet access the internet through SwithA and then SwithB.(and also can see servers in vlan 20)

Outbound ACL on interface Vlan20 SwitchA?

Jon Marshall Wed, 02/21/2007 - 03:19

Hi Leo

Do you have an SVI on switch A or vlan 16 then ? I guess you must be. You could apply the following acl on vlan 16 on switch A

access-list filter deny ip

access-list filter permit ip any

On vlan 16 interface

ip access-group filter in

The destination network from the 10.16.x.x hosts will be always be allowed unless it is going to a 10.20.x.x address.

If there are some addresses in the 10.20.x.x range that you want access to from 10.16.x.x clients you could add those to the top of the access-list.



jain.nitin Wed, 02/21/2007 - 02:24

Hi, apply extended ACL on vlan 20 interface as inbound & define as source & destination

If it helps do rate it.



This Discussion