Simple VLAN ACL Question

Unanswered Question
Mar 4th, 2009

Heres my setup:

Cisco 6506 IOS 12.1




Id like to allow only HOST1 to VLAN1. VLAN2 should NOT be allowed to get to VLAN1. Also, Id like VLAN1 to be able to access VLAN2 as well as get out to the internet, etc. I have routing set up and everything is working fine with that. I just want to place an ACL to restrict traffic. How can I do this? This has got to be simple, but I cant quite figure it out.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 03/04/2009 - 06:45


It's not quite as straightforward as it sounds because you want to allow traffic initiated from vlan 1 thru to vlan 2 and presumably the return traffic as well. But you don't want vlan 2 to be able to intiate connections to vlan 1 except for

If your traffic is a mixture of TCP/UDP then you will have to use reflexive access-lists to achieve what you want. Please see the attached link for configuration details -


Giuseppe Larosa Wed, 03/04/2009 - 06:48

Hello Rob,

extended ACLs for TCP allow to use the established keyword that allows TCP sessions if already established.

in this way you can have TCP connections started from vlan 1 permitted and TCP sessions started from vlan2 denied (because they have the TCP flags set to initiate the session)


access-list 101 permit tcp host

access-list 101 permit tcp established

you can then apply the ACL inbound on vlan2

int vlan2

ip access-group 101 in

in this way only host can start TCP sessions to net

sessions started from to other hosts in are permitted

hope to help


robbyyamry Wed, 03/04/2009 - 07:48

Thanks for the info. Does extended ACLs for UDP allow the ESTABLISHED key as well? Would it be possible to apply the ACL to VLAN1? I only ask because we have about 20 VLANs on the LAN (all of which should not be able to access VLAN1) and Id rather not apply the access-group to all, if possible.


Giuseppe Larosa Wed, 03/04/2009 - 08:17

Hello Rob,

unfortunately UDP has no session/socket concept so the established keyword doesn't apply.

in your case you can think to apply a single outbound ACL under SVI vlan1 instead.

Hope to help



This Discussion