Showing results for 
Search instead for 
Did you mean: 
Hall of Fame Expert

Re: Access list for interVLAN

Hello @JasonOwen ,

@Georg Pauwen has provided a good example of what you can configure.

First of all, you will need multiple ACLs applied inbound to each SVI interface Vlan.

Second factor to consider these IP ACLs even if extended are not stateful and you need to provide the return path.


So translating the one way connectivity to I would like TCP sessions started from hosts in Vlan 1,2 to hosts in vlans 3-6 to be able to be setup but not the opposite you can use something like


interface vlan 6

ip access-group 106 in


access-list 106 permit tcp established

access-list 106 permit tcp established


if no other networks should be accessed you can rely on the implicit deny any any at the end of the ACL.


However, if you need to allow internet access or access to other networks in general you would need to add


access-list 106 deny ip

access-list 106 permit ip any


Actually you need to apply inbound ACLs only to the limited SVIs interface Vlan 3 to interface Vlan 6


The ACLs for SVI vlan 3 to vlan 5 would be similar to the one proposed here.

If hosts in Vlans 3 to 6 can access vlan 1 the first line should be like proposed by Georg a permit ip.

Here, I am proposing this alternate version to have only TCP sessions started from Vlan 1 to Vlans 3 to 6 to be able to be setup.

Interface Vlan1 and interface Vlan2 could stay without any ACL applied unless your network is a closed connectivity one and there is no need for internet access and so on.



in case you need to provide internet access to users in Vlans 3 to 6 you may need to enable the traffic for DNS queries and DNS replies that use UDP port 53.

It really depends where the DNS servers are located.


Hope to help



Hall of Fame Master

Re: Access list for interVLAN

There have been several posts in this discussion that mention reflexive access lists. And this relates to a fundamental problem with what you want to achieve. As an example you want a device in vlan 1 (perhaps it is to communicate with a device in vlan 3 (perhaps it is Assuming that you will use an access list inbound on interface vlan 3 to filter the traffic it will receive an IP packet whose source address is and destination is - should the access list permit or deny this packet? The answer is deny if the packet is from initiating some to vlan 1. But the answer is permit if this is responding to something initiated from vlan 1. How does the access list determine whether this is a response or not?


To really achieve your requirements requires doing stateful inspection in which we would know who initiated the traffic. I dont believe that your switch supports doing stateful inspection.