Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filtering traffic between VLANs

I already posted about this a few months ago and I thought I had it resolved...

Right now, I'm setting up a remote office infrastructure with WIFI.

Routed environment, down to the access layer using 3560-x l3 switches.

vlan 10: data

vlan 20: wifi

vlan 30: wifi guests

vlan 40: voip

Remote office is in the 10.50.x.y subnets where x = vlan ID from table above (so is in the WIFI Guests VLAN...)

My objective is to allow all traffic OUTBOUND to certain subnets ( and block any other networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.

I used this:

Extended IP access list VLAN10_TRAFFIC_FLOW

10 permit ip any

20 permit ip any

30 deny ip any

40 permit ip any any


interface Vlan10

description DATA

ip address

ip access-group VLAN10_TRAFFIC_FLOW in

Somehow, I can ping and browse web pages in subnet even though the rule block anything in the 10.x.x.x (line 30).

So I nuked all of this and created VLAN maps which seem to work better.

ip access-list extended ACL_VLAN10_ALLOW

permit ip any

permit ip

permit ip


ip access-list extended ACL_VLAN10_BLOCK

permit ip any


vlan access-map MAP_VLAN10 10

match ip address ACL_VLAN10_ALLOW

action forward

vlan access-map MAP_VLAN10 20

match ip address ACL_VLAN10_BLOCK

action drop log

vlan access-map MAP_VLAN10 30

action forward


vlan filter MAP_VLAN10 vlan-list 10

However there is no way to do inbound or outbound traffic control, so I end up with rules that allow all traffic to go out (even to destinations I dont want to) but return traffic gets blocked (i.e. I'd be able to send an HTTP request to a server in subnet but the response would get blocked. Kind of a waste of bandwidth to have all those packets travel and get blocked at the destination. Any input or suggestions would be appreciated...

Everyone's tags (5)