Extended Access Lists

Unanswered Question
Feb 25th, 2008

Hi There;

I have a switch with 5 vlans (192.168.1-5.X/24), connected to a router which has three interfaces (172.30.1-3.X/24)in addition to the uplink port. If I want the traffic from each of the 5 vlans to be able to talk (ping)to each of the 3 routing interfaces but not to be able to talk (ping) to any of the other vlans - is the best way to do it via extended access lists?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
lamav Mon, 02/25/2008 - 13:42


That is the simplest way to do it, yes.


Istvan_Rabai Mon, 02/25/2008 - 20:51

Hi Austin,

This is a "router on a stick" configuration. In addition to the mentioned access-lists you will need to configure the uplink port of the router for trunking so it can carry all 5 vlans.



austindaz Mon, 02/25/2008 - 20:56

Hi there;

Would the access list look something like the following "access-list 101 permit tcp eq icmp"


Istvan_Rabai Tue, 02/26/2008 - 11:47

Hi Austin,

If you want to enable tcp traffic with no specific port numbers, then the acls may be the following:

For vlan 1:

access-list 101 permit tcp

This access-list must be applied inbound to the subinterface corresponding to vlan 1.

For vlan 2:

access-list 102 permit tcp

This access-list must be applied inbound to the subinterface corresponding to vlan 2.


These acls will allow tcp traffic from the appropriate vlans to the 172.30.x.x interfaces.

If you want to allow icmp (ping) traffic, then you should repeat the same lines with "icmp" instead of "tcp".

If you have doubt of how to configure the trunk interface on the router, please send me a response and I will help you.



austindaz Tue, 02/26/2008 - 13:29

Hi There;

Thanks very much for your assistance.

Can you explain more about the application of the access-group 'in' and 'out.' If I'm pinging from a specific 192 network (vlan1)to any of the 172 interfaces doesn't that mean I would apply the above mentioned access-list 101 'out' on the vlan1 interface?


Edison Ortiz Tue, 02/26/2008 - 14:47

You have to think from the router perspective towards the networks.

If you are pinging from 192 network to a 172 network, you would place an ACL with 'in' on the interface facing the 192 network. Just picture it, traffic is coming from the 192 network towards the router so you block the incoming packet.

If you wanted to block the pinging after 'routing' takes place, you would place the ACL with 'out' towards the destination (on this case 172 network) under the outgoing interface.

There are times when you need to decide if you want to block before it gets into the router or while it's leaving the router.





This Discussion