Access list - help

Unanswered Question
Feb 6th, 2008


I would like to only allow some traffic between a couple of servers on a VLAN and on a remote site .and block the other traffic

from example If I do :

access-list 180 permit host host


Int VLAN 599

ip access-g 180 in

Imagine that is a member of my VLAN servers

Imagine that VLAN 599 is where my router is connected to connect to

as far as I understand , this acl will only allow to connect to

Will that block to connect to

or do I need another ACL like :

access-list 181 permit host host

int vlan 599

ip access-g 181 out ??????


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.cruea1980 Wed, 02/06/2008 - 10:07

No, you don't need another ACL.

VLANs allow traffic through by default. Your "ip access-g 180 in" should work just fine.

trombidz1 Thu, 02/07/2008 - 01:03


How about if I have another host on the remote site ?

will the traffic be blocked from to as well ?

Jon Marshall Thu, 02/07/2008 - 01:31


Not sure i fully understand your topology.

Is vlan 599 the vlan where lives or

If it is then your access-list applied on the vlan 599 interface inbound will have no effect ie.

your access-list says permit ip (presumably) from to

If vlan 599 is the vlan for then it will work fine. But if vlan 599 is the vlan for then it will actually block the return traffic and it will do this because of the implicit deny at the end of access-list 180 because the return traffic is

source destination which doesn't match the "access-list 180 permit ip host host However there is an implict deny at the end of access-lust 180 so it will be dropped.

So if vlan 599 is the vlan for you need to apply acl 180 inbound on the vlan interface that connects to

Does this make sense ?


trombidz1 Thu, 02/07/2008 - 01:41

ok I clarify is in vlan 599

source is

destinations are and

my acl is

access-list 180 permit host host

Int VLAN 599

ip access-g 180 in

So ,

1) do I need :

access-list 180 permit host host to allow the return traffic ?

2) Do I need to do something on my acl to deny traffic from to ?

Jon Marshall Thu, 02/07/2008 - 01:48

1) No you don't because ACL 180 is only applied inbound on interface vlan 599. So when the return traffic comes back from it will be be outbound traffic on vlan 599 and as you don't have an acl in the outbound direction you will be fine.

2) Do you mean and not because i thought you wanted to allow traffic to and from ?


if all your access-list 180 says is

access-list 180 permit ip host host

then you have an implicit deny at the end of the acl so in effect all traffic from vlan 599 will be blocked except traffic from to

If this is not what you want

access-list 180 deny host host

access-list 180 permit ip any any

ie. only stop traffic from vlan 599 to

If you want to actually stop from intiating a connection to then

access-list 181 deny ip host host

access-list 181 permit ip any any

then apply to interface that lives on eg.

vlan 600

ip access-group 181 in



trombidz1 Fri, 02/08/2008 - 02:50


Ok thanks

last one :

is it possible to put to different access-group on an interface

inter fa 0/0

ip access-group 180 out

ip access-group 190 in


Jon Marshall Fri, 02/08/2008 - 02:54

Yes, you can have one inbound and one outbound access-list on an interface.



This Discussion