Showing results for 
Search instead for 
Did you mean: 


Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


ACL to block L2 communication between hosts


On the SG350, I thought I could apply some VACL or ip access-group, but these commands are not supported it seems !

The only way to bind an ACL to an interface is

service-acl input
# the output version is not supported it seems ! service-acl output

I use the SG350 with inter-VLAN routing enabled

I have a few VLANs setup, mainly a media VLAN 50.

- All devices in VLAN 50 should not communicate to any other VLAN

- All devices in VLAN 50 should be able to communicate to the DLNA server at

- All devices in VLAN 50 should not be able to communicate between them


I added the below ACL-ACE rules

config t

ip access-list extended "DLNA VLAN50"

# allow VLAN 50 Net to firewall gateway (DNS/DHCP), to VLAN 50 gateway (SG350 switch) and to brodcast IP (optional)
permit ip ace-priority 10
permit ip ace-priority 20
permit ip ace-priority 25

# Permit gateways to talk back to VLAN 50
permit ip ace-priority 30
permit ip ace-priority 40

# Permit VLAN 50 clients to talk to the DLNA Server on port 8200 for DLNA
permit tcp any 8200 ace-priority 60

# Permit DLNA Server to answer VLAN 50 clients requests but only from its ports TCP 8200 and UDP 1900
permit tcp 8200 any ace-priority 80
permit udp 1900 any ace-priority 100

# Deny any communication to local hosts
deny ip ace-priority 120 log-input
deny ip ace-priority 140 log-input
deny ip ace-priority 160 log-input


# Apply ACL to VLAN 50
interface vlan 50
service-acl input "DLNA VLAN50" default-action permit-any 

Most things work as expected:

- internet access is preserved

- access to other VLANs is properly denied

- access to media DLNA server is only allowed on the DLNA open ports


However: I can ping other VLAN 50 devices between them while they properly cannot ping the media server or access its web server on port 80


After some reading, I think that the service-acl input command only applies to L3 and L2 communication between hosts is not reaching the routing interface.


- Q1: how come the server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?

- Q2: how can I properly block L2 communication inside VLAN 50 without applying ACL to a port (The VLAN 50 clients are connected to the switch through 2 physical ports but also through a tagged VLAN on a trunk port connected to a wifi AP)

- Q3: since the service-acl output command is not supported, is the isolation I did adequate or I must also add rules to deny "other VLANs to" ?

- Q4: on teh data sheet for 350 series, I read: "ACL can be applied on both ingress and egress sides". Why only "service-acl input" is allowed ?


Hope someone can help me writing the rules I need to achieve the above requierement 

Thank you


- Q1: how come the server is properly isolated from other clients on the VLAN when they try to ping it or access its web server on port 80 ?

This one I figured out I think: the Media server is connected to an SG350X Switch which is trunked to the core SG350 switch doing the interVLAN routing. The other VLAN 50 clients are connected to the core Switch.

Please help for the other issues and proper ACLs


Well, it was the L2 layer communication on the Wifi AP trunk

Only devices connected by Wifi were talking to each other, not those wired

So the ACLs look to be working

I isolated the AP L2 on the AP software


Please give a feedback on my ACLs strategy above


Best regards