Cisco Support Community
Community Member

Catalyst 3550 and reflexive access lists

We have a Cat 3550 with 2 VLANs configured and need to restrict access from VLAN 1 so that the stations in this vlan can not access anything outside that VLAN, but systems in VLAN 1 need to be administered from VLAN2.

To do this we have used a reflexive access list on the interface VLAN1....

interface VLAN1

ip address

ip access-group infilter in

ip access-group outfilter out

ip access-list extended infilter

evaluate admin

ip access-list extended outfilter

permit ip any any log reflect admin

Without the access list applied you can ping from VLAN2 to VLAN1. with the access lists applied the ping fails. When running an analyser on the replying station it gets a destination unreachable from the 3550. If you do a show ip access-list you can see the dynamic access listhas been create.

If you do this with a 1750 router insterad of a Cat 3550 it works ok.

Any ideas?

Community Member

Re: Catalyst 3550 and reflexive access lists

I did a feature search. If you are running 12.1.6.EA1 It did not show up as supported on that release.

CreatePlease to create content