3560 Vlan ACL issue

Unanswered Question


I have some Catalyst 3560's that has about 10 VLANs setup on them. I want to isolate a few VLAN's from being able to access certain VLAN's but only in one direction. For example:

Vlan 100 is

Vlan 200 is

I would like a host in Vlan 100 to be able to initiate a session with a host Vlan 200 but at the same time, I don't want a host in Vlan 200 to be able to initialize a session with a host in Vlan 100. Kinda like a PIX/ASA DMZ ACL. Is this possible? When I try putting an ACL on the Vlan interface like below, it does not work. This is because once a host in vlan 100 (10.10.100.x) initiates a session with a host in vlan 200 (192.168.100.x), the second acl blocks the return traffic. Any suggestions?

access-list 115 permit ip

access-list 115 deny ip

access-list 115 permit ip any

Interface Vlan200

ip address

ip access-group 115 in



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 06/04/2009 - 14:32


What you need for this sort of thing is reflexive access-lists which allow connections to be initiated from one side and the return traffic back but not for connections to be initiated the other way.

Unfortunately as far as i know the 3560 does not support reflexive access-lists. So the best you can do is to use the "established" keyword which only works for TCP connections -




This Discussion