Applying ACL for a VLAN

Unanswered Question
Mar 20th, 2008

I need someone to straighten me out on this...I always get confused.

I have an Internet L3 switch (3560) that has an L3 vlan interface for devices that face the internal network (DMZ).

I want to deny all traffic from the corporate network exceot for 3 subnets that the network engineers are on.

OK, no biggie:

ip access-list standard DENY_UNAUTH_USERS

remark deny all corporate traffic except for the 4, 5 and 6 subnets




deny any log

Now, the kicker, I want to prevent traffic from the internal network from entering the 3560. In which direction should I apply the ACL, in or out?

Should it be

interface vlan 60

ip access-group DENY_UNAUTH_USERS in (?)


interface vlan 60

ip access-group DENY_UNAUTH_USERS out (?)

Its tricky with vlans, its not like a physical interface.

I believe that it should be in the out direction.




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
glen.grant Thu, 03/20/2008 - 06:27

If vlan 60 is the connecting link then it would be in the "in" direction .

lamav Thu, 03/20/2008 - 06:50

vlan 60 is the interface that faces the internal network. Its a DMZ interface...makes sense?

I want to block users from the internal network who sit "behind" that vlan 60 interface.

So, it would still be in the "in" direction?

[EDIT] The users I wantr o block do not sit on vlan 60. that sa DMZ vlan that connects the internal network to the internet router. The users are on the corporate vlan (21,22,etc)

Jon Marshall Sun, 03/23/2008 - 02:13


Think of like this.

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

Oh yes, and no problem with the typo as i said in other post, we all do it :-)


lamav Sun, 03/23/2008 - 10:09

"Oh yes, and no problem with the typo as i said in other post, we all do it :-)"

You're a regular riot, Alice!! Think you're slick, huh? ;-)

Anyway, as for the vlan ACL (take a look at that drawing again), let's say the traffic originates on the core, gets forwarded "up" to the ASA, and then to the Internet router, the ACL that must be applied to the Internet router's vlan 60 interface inbound? That makes vlan 60 a sort of connecting vlan, then, right?


Jon Marshall Sun, 03/23/2008 - 15:40

Sorry Victor, couldn't resist :-)

Correct in what you say. Vlan 60 is there purely for connecting the ASA devices to the Internet routers. And yes the acl should be applied inbound on the vlan 60 interface.

Once again appreciate the ratings and would have answered the question anyway you know.


lamav Sun, 03/23/2008 - 16:40


Once again, you deserve the great ratings because your answers are full of excellent information and you stick with the person until the problem is solved. Thats a pretty awesome thing to do when you dont even know the person at all.

And yes, I know you would have answered my question no matter werent the reason know.



This Discussion