Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

issues using acls with vlans on Catalyst 3560

i have 4 vlans created using intervlan routing:

adm -

dev -

voice -

printers -

and a router ( on interface FE0/1 ( (used ip routing)

I want to block access from dev to adm but allow from adm to dev and all the remaining traffic.

I have created the following acls

access-list 100 deny ip

access-list 100 permit ip any any

this acl argument where used in vlan dev in outbound.

ip access-group 100 out

this acl arguments come from the idea that a cisco switch would process the acl argument from top to bottom and when

a match is found it would stop processing the rest of acl arguments below.

i.e A host from 192.168.11.x trying to reach a host in 192.168.10.x sould match the acl:

access-list 100 deny ip

and stop processing the remaining arguments:

access-list 100 permit ip any any

but what really happens is that all traffic is allowed

P.S. This is the first time i am implementing acls so i think i might not grasped cisco acls behaviour so an explanation on

how acls works in this switch and a practical example would correct my misknowledge of acl behaviour.

any hints are welcome.

thanks in advance.


Re: issues using acls with vlans on Catalyst 3560

Please check the following links on ACL's:

Also, keep in mind that direction OUT means FROM the switch TO the network.

When looking at it like that, it is easier to understand that your acl 100 has source and destination in the wrong order.