Unanswered Question
Feb 22nd, 2007

Hey Everyone,

I have 3 networks:

Protected Vlan 1

DMZ - ->Vlan 1 ->Vlan 100

I need ACLs on the VLAN 100 to disallow traffic from the to initiate to anywhere with exception of

However, My DMZ and Protected should be able to connect to this vlan 100.

How would I go about this? Please provide an example.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
purohit_810 Thu, 02/22/2007 - 11:56


Good. Please tell me one thing... r u doing inter VLAn configuration???

If yes, You can configure access-list at apply on sub interface.

Look router ACL configuration END or this chat.


If it is on separete interafce on PIX FIREWALL... in that case, you have to put following command.

access-list From-v100-v1 deny tcp


access-group From-v100-v1 in interface {Interface No}

Interface No: connected VLAN 100


On ROuter:

access-list 101 deny tcp

acess-list 101 permit any any

Above created access-list put on interface, where vlan 100 connected.

int {interface No}

ip access-group 101 out

If still you are not able to solve the problem, please revert with proper diagram.


Dharmesh Purohit

purohit_810 Thu, 02/22/2007 - 13:10

access-list 101 deny tcp

acess-list 101 permit any any

int vlan 100

ip access-group in


Dharmesh Purohit

acomiskey Thu, 02/22/2007 - 13:12

^^ The problem with that is he wants 172.18 to be able to initiate connection to 192.168. With that acl 172.18 traffic would hit 192.168 but the reply from 192.168 would be denied, right?

acomiskey Thu, 02/22/2007 - 12:46

I thought so..allowing to only initiate to is easy.

access-list 100 permit ip host

access-list 100 deny ip any

int vlan 100

ip access-group 100 in

The issue you will run into is the switch is not stateful like a firewall. So with the above access-list you would also block the replies from to to anywhere else. You could add

access-list 100 permit tcp any established

which would allow return tcp traffic to flow back to etc., but note this only works for tcp traffic, not udp. All in all, a switch is really not the greatest solution here, but it is possible, it just gets a little ugly.

rostoski123 Thu, 02/22/2007 - 17:59

Yeah, I was under the impression that the established only allows traffic back in that originates from inside.

access-list 100 permit tcp any established

would only allow return traffic? Thats where I am confused. Thanks

acomiskey Thu, 02/22/2007 - 19:19

ok, if 172.18.x.x initiated a tcp connection to 192.168.1.x the traffic would be allowed as you do not have an acl applied to vlan 100 with "ip access-group 100 out".

When 192.168.0.x replied to that connection, the traffic would be filtered by access-list 100 because it is applied into vlan 100. Without the keyword, the switch will drop the packet as you are not permitting to in your acl. But, by adding the established keyword to the acl the switch can be smart enough and act like a stateful firewall to allow the return traffic to flow. But like I said, this only works for tcp, so anything udp you would pretty much have to open up. Hopefully that makes sense.


This Discussion