Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Stupid ACL issue

Hi, everybody,

I have to setup a very simple (in my opinion) ACL on a MSFC. As I'm new in ACL's, please help....


Allow access from vlan 10 only to/from servers A and B on vlan 20 (IP only), servers C and D on vlan 30 (for DHCP and DNS). Nobody on vlan 10 can do anything to any other server on any vlan.

I tried these config's:

access-list 101 permit ip any host serverA_on_vlan20

access-list 101 permit ip any host serverB_on_vlan20

access-list 101 permit udp any host serverC_on_vlan30

access-list 101 permit udp any host serverD_on_vlan30

interface Vlan10

description === WIRELESS TOURIST VLAN ===


ip access-group 101 in

With this config, I just had access to.... everything (IP, telnet, ping,...)

by adding "access-list 101 deny ip any any", I had access to ... nothing anymore.

Thanks for all,


  • Other Network Infrastructure Subjects

Re: Stupid ACL issue

I think you should use ACL 101 as outbound instead of inbound. So put in int Vlan10 "ip access-group 101 out " instead of "in".

Don't nedd to add "access-list 101 deny ip any any".

Hope this helps and please let me know.

New Member

Re: Stupid ACL issue

You are technically correct that there is no mandatory requirement for "access-list 101 deny ip any any" as that deny statement is implied. However, it is still good practice to include it anyway so that hits on it can be tracked through logging. Just a suggestion.

New Member

Re: Stupid ACL issue

I would agree with the other response, you did not state which interface you applied the ACL to, but it looks like it is either on the wrong interfac or is going in the wrong direction.

New Member

Re: Stupid ACL issue

In looking at your configuration, I have to agree with the other replies about the direction(in/out) of your ACLs via the access-group statement. I also agree about the implicit deny that should be added at the end of your ACL. In addition, you are allowing specific traffic out, but there may be an issue about not specifying the traffic that should be allowed back to vlan10.

What I mean is if you do not specify what is allowed back to vlan10 then when the ACL entries are all tried, all remaining traffic will be denied and as a result, replies back to your requests from vlan10 to the servers on vlan20 and vlan30 will be denied as well. I hope this helps resolve the ACL issue.

This widget could not be displayed.