Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL not applying outbound

I have a 3550-12g running IOS v12.2(25)SEE2. I have created an ACL to apply to a VLAN interface. Here is the ACL:

ip access-list extended Block_Access

deny ip

deny ip

deny ip

deny ip

deny ip

permit ip any any

Whenever I apply the above ACL using the "ip access-group <name> out" to the VLAN internface, the ACL doesn't work. If I apply the same command using "in" instead of "out" it does apply the ACL. The VLAN interface I am trying to apply this ACL to is configured as follows:

interface Vlan170

ip address

ip helper-address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

I am wondering if I do not have something configured properly or am I missing anything.

Any input would be greatly appreciated. Thx.


New Member

Re: ACL not applying outbound

Just a suggestion, but a vlan map may be a better solution if possible

Hall of Fame Super Silver

Re: ACL not applying outbound


We need to understand how you decide that the access list is not working. The access list is denying traffic sourced from If you are testing the access list by testing from the router (doing ping or traceroute or something similar) then the explanation is that an outbound access list will NOT filter traffic generated from the router itself. If you are testing with traffic generated from some end station connected to the router then we need to understand more about the topology of your network.



New Member

Re: ACL not applying outbound

In a nutshell, I am trying to deny outbound traffic from the network to the subnets list in the ACL, then permit traffic to any other destination. Based on the ACL, if an IP packet originates from and is destined for then it needs to be denied. The only VLAN interface that is configured on the same switch as the VLAN170 interface is the VLAN140 interface ( for the subnet). All other subnets listed in the ACL have their VLAN interfaces configured on different switches. EIGRP is configured for routing to these VLANs. I can ping back-and-forth so I know that basic IP routing and connectivity is working properly.

I am just confused as to why I can apply an ACL "inbound" on the VLAN170 interface and it works, but it does not work if I apply it "outbound".

Thx again for your assistance.


Re: ACL not applying outbound


When you apply the acl on inbound , it actually filters the traffic hitting the Vlan from inside to outside , so your source range falls and its denied .

But when you apply it on out , its the traffic from outiside to inside of the Vlan , so here the source changes and the source would be outside ip and destination would be inside ip

So you need to reverse the access-list , if you need to apply on out .A common extended access-list with source and destination ip defined would not work the same way for inbound and outbound.

Hope it helps


vanesh k

CreatePlease to create content