Extended ACL's help ---urgent

Unanswered Question
Jun 24th, 2009

i have created one vlan500 (GW and it is in active.

i defined one accesslist group like below....

ip access-list extended GUEST_ACCESS

deny ip any

deny ip any

deny ip any

deny ip any

deny ip any

deny ip any

deny ip any

deny ip any

i applied the above accessgroup for vlan500 but still i am able to ping from this vlan to above denied networks (i am trying extended ping)

This is strange for me, Experts can anybody help me please....



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 06/24/2009 - 22:55

Hello Naidu,

in what direction have you applied this ACL?


ip access-group GUEST_ACCESS in

or outbound

ip access-group GUEST_ACCESS out

this could explain what you see.

if the ACL is applied outbound means towards core not towards users in vlan, and those source ip subnets don't appear as source but as destinations

Hope to help


ilnaiduccna Wed, 06/24/2009 - 23:01

Hi Giuseppe,

Thanks for your quick response.

I tried both ways in & out but still not working and this is what seems strange for me.



Istvan_Rabai Wed, 06/24/2009 - 23:09

Hi Naidu,

Tha ACL that you applied to the vlan interface is effective only for traffic traversing the switch or router.

Traffic generated by the switch is not affected by this ACL, when the ACL is applied outbound.

So if you originate pings from the same switch where you applied the ACL to the vlan interface, the pings are generated by the switch itself.

So the ACL will not filter that traffic.

Try generating pings (traffic) on a different device so the traffic traverses this switch but not originated on this switch.



davy.timmermans Wed, 06/24/2009 - 23:09

Hi Naidu,

Did you tried to ping from your pc when connected to vlan 500 instead of from the switch. I suppose you ping from the switch via source interface?

Did you test with reversing destination and source in your acl?


This Discussion