Cisco Support Community
Community Member

regarding ALCs applied on VLAN interface for IN/OUT directions

Hello community,


the question is following:



small                                big

network                         network


I have to allow some traffic flows from small network to big network and visa versa.

For that I can use just one ACL applied on VLAN in IN direction.

Please give some information regarding this:  am I reight with my suggestion or should I have two ACLs applied on IN and OUT for the VLAN.

Everyone's tags (1)

in this topology you can use

in this topology you can use just one ACL applied on VLAN in IN direction

Community Member

Thanks for comment!Any other

Thanks for comment!

Any other/additional information/thoughts ?

Hi Andrey,

Hi Andrey,

ip access-group acl in means which filters the traffic that enters the interface & out means it filters the traffic that goes out via that interface... the below example shows the exact difference....

Example: Filtering on Source and Destination Addresses and IP Protocols

The following configuration example shows an interface with two access lists, one applied to outgoing packets and one applied to incoming packets. The standard access list named Internet-filter filters outgoing packets on source address. The only packets allowed out the interface must be from source

The extended access list named marketing-group filters incoming packets. The access list permits Telnet packets from any source to network and denies all other TCP packets. It permits any ICMP packets. It denies UDP packets from any source to network 172.26.0 0 on port numbers less than 1024. Finally, the access list denies all other IP packets and performs logging of packets passed or denied by that entry.

interface gigabitethernet 0/0/0
 ip address
 ip access-group Internet-filter out
 ip access-group marketing-group in
ip access-list standard Internet-filter
ip access-list extended marketing-group
 permit tcp any eq telnet
 deny tcp any any
 permit icmp any any
 deny udp any lt 1024
 deny ip any any 




Community Member

Hi Karthik,ok, thanks to

Hi Karthik,

ok, thanks for example!


Lets say we have "vlan 20"  and interface gigabitethernet 0/0/0 assigned to that vlan. Writing and applying an ACL one should consider IN and OUT relating to a router or relating to an interface to which a certain vlan (in this example vlan 20) was assigned?

VIP Purple

Hello ACLS applied to SVI are



ACLS applied to SVI are as follows:


Acls applied INBOUND = traffic originating from hosts within vlan 10

int vlan 10
ip access-group xx IN  (in>out)


Acls applied OUTBOUND = traffic going to hosts in vlan 10

int vlan 10
ip access-group xx OUT (in<out)





Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

hello thanks for information,



thanks for information, but my question related to how router will filter traffic by ACL applied for ex. on IN direction for a certain VLAN: will "IN-traffic" be filtered relatively to the router or "IN-traffic" will be filtered relatively to an interface, which was assigned to that VLAN



VIP Purple

HelloApplying an acl to a SVI


Applying an acl to a SVI interface is different than applying it to a physical interface.


On a physical interface the direction is quite straight forward

IN=incoming into the interface ( opening the door and letting IN the traffic) 
OUT= outgoing from the interface  ( opeing the door and letting OUT the traffic) 

On a logical interface such as a SVI:
IN = originating from the VLAN  to destination
Out=originating from outside towards the VLAN



Please don't forget to rate any posts that have been helpful. Thanks.
Super Bronze

DisclaimerThe Author of this


The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.


"It depends".

It will depend on what exactly what traffic you want to block.  Something like TCP can be effectively blocked in both directions if only physically blocked in one direction but other traffic may need to be physically blocked in both directions.

It might be doable with a single IN or OUT ACL on the SVI, it might require both and IN and OUT ACLs on the SVI, or it might require other ACLs, on another interface (normally its best to block as early as possible).

Community Member

Hello everyone,sorry for

Hello everyone,

sorry for delay.


Here is a concrete example, which I am asking about.


This is the topology with sub-networks:


{small network}---{L3 switch}-----{big network}


(as L3 switch WS-C3750X model is used).


The task is:

1) permit all traffic to/from addresses
2) permit TCP destination port 5900 from addresses to any address in network
3) permit communication from to

4) deny all other traffic


due to security requirements, communication on ports
 - TCP 135-139
 - UDP 1434

should be blocked for hosts from task 3) and others which may be requested in the future.


My  solution is to write one ACL and apply it on IN direction:


ip access list extended vlan10_filter_in
(config-acl)# permit icmp any any   # - for diagnostic purposes allow ICMP

(config-acl)# permit ip any # - 1) task
(config-acl)# permit ip any

(config-acl)# permit tcp any eq 5900   # - 2) task
(config-acl)# permit tcp any eq 5900 

(config-acl)# deny tcp any range 135 139  # deny communication on critical ports from small network
(config-acl)# deny tcp any  range 135 139 # deny connection on critical ports to small network

(config-acl)# deny udp any eq 1434  # deny communication on critical ports from small network
(config-acl)# deny udp any eq 1434 # deny connection on critical ports to small network

(config-acl)# permit ip # - 3) task - allow traffic between networks and filtering communication on critical ports
(config-acl)# permit ip

(config)#interface vlan 10
(config-if)#ip access-group vlan10_filter_in in



The question is: do I need additional ACL for OUT direction?

Small sub-question:  is this firewall stateless type?



Community Member

Hello community,any

Hello community,

any suggestion related to the topic?

CreatePlease to create content