ACL in Interface VLAN not working

Unanswered Question


I have a network based on (mostly)C3560G switches using L3 and OSPF everywhere except at the access ports where servers are connected. I was planning to use ACLs to restrict packet flow through the router part of the switches. I don't care about the packet flow in the L2 VLANs.

I was planning on dumping the unwanted packets based on source ip adress, and dumping them at the destination network(entry-point at the destination network). I have several networks (ip interfaces) configured at each access switch, and the ACL's are access-group'ed to the (SVI)interfaces on the access switches.

I have attached a sample-configuration (from a C3550), the Gigabit interfaces are the L3 uplink configured with OSPF

I have 2 questions, if anyone can be so kind as to explain :)

1) The ACLs need to be "ip access-group xx out" to be working in the "inbound" direction, when applied to a SVI? This goes beyond my logic? Can anyone tell me why?

2) The ACL at interface Vlan102 is not working, a host with ip using as gateway has full access to a host with ip (The aim was to discard the packet if it doesn't match the ACL and as so I was expecting the reply-packet from to be discarded, but it doesn't get discarded)

The ACLs at VLANs 103 and 104 are functioning as needed dropping packets from networks not matching the ACL (eg.

Has anybody found the holy grail on these issues?

Thanks in advance (I cannot figure out what is wrong here) ..

/Ulrik Jensen


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vinoth_g Tue, 12/04/2007 - 06:16
User Badges:

1) I deny your first statement..ACL for VLAN interface is same as Physical interface, you should use "in" keyword for inbound direction.

2) As per your ACL in interface VLAN102, it will allow packets only from to get into VLAN102... So it would work as per your requirements.

Can you give me the output of "show tcam interface vlan102 acl out ip"?


With the "inbound" I mean packets being routed to the SVI, not comming via a physical port on the switch. I can see that the ACLs has to be "ip access-group 1234 IN" (not IN) to have any effect on the L3-routed packets to the VLAN.


The switch doesn't seem to accept this command, should you have this instead, show tcam outacl 1 entries ? (attached!)



Oh.. now, after a 2 days of thinking, I found what caused the 2) ACL-issue.

The ACL is working as expected.

I have a management lan on which all my L3 switches have a physical port connected, and the switch which host the server with ip therefore has the subnet directly connected at a physical port, and the return-path of the packet did not include a hop at the switch which has the gateway and the ACL :-(

A simple traceroute showed this to me a very short while ago. I just had to traceroute the return-path of the packet instead of the other way around.

Sorry to have wasted your time on this ... now I have to figure out how I can configure a physical management interface on a layer 3 switch, which is not part of the routing table? Or maybe I need to have an outgoing accesslist distributed on all the L3 devices to limit packet flow into the management lan, if I cannot remove the physical interface from the routing part.

The management lan is setup with unmanaged L2 switches, so I cannot do port isolation or VACLs unfortunately.

Thanks for you time and effort :)




This Discussion