Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

access lists on vlans

Is it possible for me to apply access lists on a layer 3 vlan interface on my switch ?



Re: access lists on vlans

Yes it is. You apply an access-list to a logical interface (L3 VLAN is a logical interface also) in the same manner that you would apply it on a physical interface.

New Member

Re: access lists on vlans

Don't forget to reverse the regress/ingress order. In other words, ACLs on addressable physical interfaces will work in reverse of a VLAN interfaces ACL. Simply reverse the "access-group xxx (IN/OUT)" statement.

Good luck



Re: access lists on vlans


Where did you get this information that 'ACLs on addressable physical interfaces will work in reverse of a VLAN interface ACL'?

When applying an ACL to a logical interface (SVI a.k.a VLAN) you consider it as if you are applying the ACL on a physical routed interface. The direction of the ACL is the same as if we were applying it to the physical interface. For example assume I am going to apply an ACL to prevent packets sourced from VLAN 10 hosts to a.b.c.d. In this particular case I would create an extended ACL matching source as VLAN 10 subnet and destination as a.b.c.d. This ACL will either be applied inbound on VLAN 10 or outbound on the interface that is the exit point towards a.b.c.d. If you reverse the direction (like you say) and apply it outbound on VLAN 10 this ACL will not work as no packets going out of VLAN 10 will have source of VLAN 10 subnet.

Re: access lists on vlans

Hi! Carl,

Yes it is very much possible for you to apply access list on L3 VLAN interface.

Refer the following link for the same.

I hope you find it helpful.

Please rate the post if it helps.



CreatePlease to create content