Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.


Unanswered Question
Jul 25th, 2006
User Badges:

I have a L3 switch with several vlan interfaces. I want to add another vlan interface that is restricted (isolated) from the other vlans. What would be the best way to go about doing this? Should I create an extended ACL and then apply it to the VLAN interface? I believe VACL are intended for intra-vlan situations, is this correct?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
lutheran1971 Tue, 07/25/2006 - 10:59
User Badges:

Hi Joel,

It is my understanding that VACL's are applied to all traffic seen on a given VLAN, wheras "normal" ACL's are applied to the L3 SVI. In other words, they are applied only to traffic leaving or coming to that network via the L3 sub-interface for that VLAN.

VLAN usage implies isolation from other VLANs, so I assume when you say isolation you mean that you want the new VLAN to be able to access other networks (for instance perhaps the internet), though you do not want hosts on any other local VLAN to access it. I would write an ACL for the sub-interface that simply (!) accomodates this: generally, allow all traffic from your special VLAN 'out' but deny traffic from the others 'in'. Hope this helps.

thomuff Tue, 07/25/2006 - 12:04
User Badges:

Do you really need the Layer 3 interface or by creating the layer 2 VLAN satisfy the goal? Could you tell us what you are trying to accomplish?


globalnettech Tue, 07/25/2006 - 12:05
User Badges:
  • Silver, 250 points or more


here is a configuration example with ACL's to restrict traffic between two VLAN's (this is from a previous post from 'Bosalaza'):

Goal: to restrict traffic between two VLAN's, but from these VLAN's you want no traffic restrictions to e.g. the Internet. You can create an access list preventing traffic from one VLAN, and allowing traffic to the internet. for example:

vlan x -

vlan y -

access-list x deny

access-list x permit any

access-list y deny

access-list y permit any

interface vlan x

ip address

ip access-group y out

interface vlan y

ip address

ip access-group x out



joel-metz Tue, 07/25/2006 - 12:38
User Badges:

How do I know if I should place the action of the Access List to be incoming, or outging on the interface?



jackyoung Tue, 07/25/2006 - 17:32
User Badges:
  • Gold, 750 points or more

For incoming or outgoing, it depends on the usage. e.g. If you want to block the user from remote sites to your office, you have to setup incoming at your locations or you can setup outgoing at the remote sites.

Hope this helps.


This Discussion