Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Question

I am wondering if it is possible to allow traffic from one host to another in a particular direction, while denying the traffic from the another direction.

For example, VLAN10 contains a PC with the IP of VLAN10's interface is VLAN20 contains a PC with the IP address of VLAN20's interface IP address is

Basically, I want to be able to access network from, but I do not want to be able to access anything in the network. What I am looking for is to be able to permit/deny access to certain networks based on what the source IP is.

I am confused on how to configure the ACLs - inbound, outbound or both on the VLAN interfaces.

Any info would be appreciated.


Re: ACL Question

You really cannot only allow traffic in only a single direction. The response to your session has to be allowed somehow.

In the most simple case for TCP you can use the established option.

permit 110 tcp host established

This is applied inbound on vlan20

This has limited use in that it only supports TCP and has trouble with applications that attempt to open a second session back to the orginating machine.

The other methods are reflexive access lists and Context-Based Access Control (CBAC) both of which are parts of firewall features and will depend on IOS levels and platform as to what is supported.