i have 4 vlans created using intervlan routing:

adm - 192.168.10.254

dev - 192.168.11.254

voice - 192.168.12.254

printers - 192.168.13.254

and a router (192.168.14.254) on interface FE0/1 (192.168.14.253) (used ip routing)

I want to block access from dev to adm but allow from adm to dev and all the remaining traffic.

I have created the following acls

access-list 100 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

this acl argument where used in vlan dev in outbound.

ip access-group 100 out

this acl arguments come from the idea that a cisco switch would process the acl argument from top to bottom and when

a match is found it would stop processing the rest of acl arguments below.

i.e A host from 192.168.11.x trying to reach a host in 192.168.10.x sould match the acl:

access-list 100 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

and stop processing the remaining arguments:

access-list 100 permit ip any any

but what really happens is that all traffic is allowed

P.S. This is the first time i am implementing acls so i think i might not grasped cisco acls behaviour so an explanation on

how acls works in this switch and a practical example would correct my misknowledge of acl behaviour.

any hints are welcome.

thanks in advance.