Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access List vLAN

Hi, I have 2 layer vlans created on my core switch. These vlans are advertised on eigrp protocol running on the core switch and subsequently advertised on bgp in the routers connected to the core switch.


The 2 Vlans are Vlan 12 and Vlan 13. Vlan 12 is a static Vlan which is to provide IP addresses to all the servers and Vlan 13 is a static Vlan which is to provide IP addresses to the device which is communicating with the server Vlan.


My requirement is Vlan 13 should be totally isolated from all other Vlans and traffic except Vlan 13.


i.e. Vlan 13 should be reachable via Vlan 12 and Vlan 13 should be not be reachable to any other traffic or any other Vlan. Vlan 13 should be totally isolated in and out traffic both.


I have an access-list on Vlan 13 which is a standard access list permitting only Vlan 12 traffic in the outbound direction




int Vlan 13

ip address

ip access-group 13 out



int Vlan 12

ip address




access-list 13 permit




But the problem is I can ping Vlan 13 from other Vlans as source from core switch  . i.e.


ping ip source Vlan 4 gives me 100% success  and I can ping Vlan 4 using Vlan13 as source.


If i try to ping it from outside the network, I can ping Vlan 13 interface but not the Ip addresses in that range.


Is the goal achieved in this case, since the access list is applied in outbound direction, I was wondering what about inbound traffic- which in a way will be achieved since outbound traffic wont be allowed to other Vlans for any inbound echo will be allowed but not echo-reply to other Vlan.Just wondering if i am making sense or talking rubbish here. DO i need to make any changes to accomplish the goal to totally isolate Vlan13?


Hi,Your access list looks


Your access list looks OK

Try using other devices on vlan 13
to test to and from NOT the router/switch


Regards, Alex. Please rate useful posts.

Access Lists on SVI's are

Access Lists on SVI's are always in the reverse direction.

Your access list is applied 'outbound' but this actually means inbound as its on an SVI.
Effectively you are saying:

"allow any traffic with a source address of /27 to send traffic to any hosts in subnet /27"

I recreated your setup in Packet Tracer and it seems to work fine, see attached.

PC0 is on Vlan4 ( /24) and is unable to ping PC2

PC1 is on Vlan12 ( /27) and is able to ping PC2


interface Vlan4
 ip address
interface Vlan12
 ip address
interface Vlan13
 ip address
 ip access-group 13 out
ip classless
access-list 13 permit





Community Member

disable proxy-arp on

disable proxy-arp on interfaces

Community Member

today i did the same

today i did the same configuration in my office.... 


ip access-list extended ALLOW_VLAN13

Permit ip

deny ip any

permit ip any any


then apply in your VLAN access list .


interface vlan 3

ip access-group ALLOW_VLAN13 in



 it will be work ........ i hope it will be helpful ..




VIP Purple

HelloDuplicate posthttps:/

Duplicate post




Please don't forget to rate any posts that have been helpful. Thanks.
CreatePlease to create content