I am using a Catalyst 4506 with three vlans, I applied an ACL on one vlan that I want the traffic to get blocked but it is not working. Do you have an idea why? This is the config I have:
int vlan 5
ip address 10.10.91.129 255.255.255.128
ip access-group 110 out
ip helper-address 172.21.100.50
int vlan 6
ip address 10.10.128.1 255.255.255.0
ip helper-address 10.10.129.1
access-list 110 deny ip 10.10.91.128 0.0.0.127 10.10.128.0 0.0.0.255
With this configuration I can still ping int vlan 6 sourcing traffic from vlan 6, which should not happened as the ACL on place should block the traffic...
#ping 10.10.128.1 so vlan 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.128.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.91.129
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
YES, you need to apply the access-list in below direction.
Int vlan 5
Access-group 110 in
See the below difference between ip access-group in & out.
When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.
Please click on the correct answer on all posts if they answered your question.
Any way you apply that ACL will have no impact on the traffic generated locally.
You can test this by connecting a PC to Vlan 5 and try pinging from that PC. You will see that applying the ACL on outbound direction will have no impact. If you apply the ACL inbound you will see the traffic being denied ( %SEC-6-IPACCESSLOGDP: list 110 denied icmp 10.10.91.130 -> 10.10.128.1 (0/0), 1 packet). I've used 10.10.91.130 for that PC.
BTW: be careful that if your ACL has only deny statements will drop all the traffic as it has an implicit deny any at the end.