who can help me with this ACL problem

Unanswered Question
Sep 23rd, 2007

hi experts,

I have a layer 3 switch and i am trying to accomplish this task: there are two VLAN , supposed VLAN 10 and VLAN 20 , I want PCs in VLAN 10 can ping VLAN 20 but PCs in VLAN 20 can not ping PCs in VLAN 10 , anyone can give me some advises?

thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Sun, 09/23/2007 - 22:20


check for Firewalls in the client pc and also for ACLs under the vlans.

if possible do post out the config here.


diablo_mtc Sun, 09/23/2007 - 23:56

thankyou for replying

i am afraid you do not understand what i mean, or maybe i do not express clearly. what i want to do is that PCs in vlan 10 can ping PCs in vlan 20 but PCs in vlan 20 can not ping PCs in vlan 10. just some kind of one direction communication.

aboelhouwers Mon, 09/24/2007 - 01:55

Create an extended incoming access-list on interface vlan 20 with the following entries:

permit icmp any any echo-reply

deny ip any any

aboelhouwers Mon, 09/24/2007 - 04:53

sorry, I meant outgoing access-list: for example

interface vlan 20

ip address

ip access-group out

diablo_mtc Mon, 09/24/2007 - 16:17

how about TCP connections?

Does PCs in VLAN 20 can open TCP/UDP connection to PCs in VLAN 10?

Edison Ortiz Mon, 09/24/2007 - 20:12

ip access-list extended Vlan20_IN

deny icmp [vlan20 subnet] any echo

permit ip any any

interface vlan 10

ip access-group Vlan20_IN


This Discussion