Showing results for 
Search instead for 
Did you mean: 

Block traffic between two interfaces with out ACL

Level 1
Level 1


I cannot figure out why my configuration is not working on Cisco 2921.
Basically I try to block traffic from interface DMZ to interface LAN.
On the DMZ interface I added extended ACL:

interface GigabitEthernet0/0.40

ip address

ip access-group DMZ-OUT out

The access list is very simple:

ip access-list extended DMZ-OUT

deny ip any

permit ip any any

I would assume that with such configuration all traffic from network should be blocked to network but apparently it's not as still I can ping hosts:

ping source

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

What's wrong with my configuration?
Thank you in advance for your valuable help.

Best regards,

5 Replies 5

Level 7
Level 7

If Gi0/0.40 is your DMZ interface and you want to filter traffic coming into that interface you should apply the ACL inbound:

ip access-group DMZ-OUT in

even with that in place you may run into issues testing the ACL when using ping source :

"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual."

Above quote from:


Hi Andy,

In fact I want to filter traffic going out from the interface Gi0/0.40 but that doesn't work with my access list.

Thanks a lot for pointing out that testing on the router doesn't take ACLs into consideration. I wasn't aware of that.

Now I'm testing it from a host connected to DMZ network and the result is still the same.

Probably I could define in ACL on my local network ( but according to best practices filtering should happen as close to the source as possible. So using out ACL on DMZ interface seems to be the best option which unfortunate doesn't work.

Any help why my configuration doesn't work highly appreciated.

Best regards,

Hi Lukasz
If you are looking to deny traffic from your DMZ network reaching your LAN network then the following should work:

interface GigabitEthernet0/0.40
 ip address
 ip access-group DMZ-IN in
ip access-list extended DMZ-IN
 deny ip any
 permit ip any any



you might want to try local policy routing with a route map.  In your case, it would look like this:

ip access-list extended DROP_DMZ_LAN
 deny ip any
 permit ip any any

route-map NO_DMZ_LAN permit 10
 match ip address DROP_DMZ_LAN

Router(config)#ip local policy route-map NO_DMZ_LAN


A more granular approach would be to to use Control Plane Policing (CoPP)

This will deny any control plane traffic (specified via an acl) destined to the routers interface to be dropped but will allow data plane traffic (transit traffic)

access-list 100 permit ip any

class-map match-any STANcm
match access-group 100

policy-map STANpm
class STANcm

control-plane host
service-policy input STANpm


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Review Cisco Networking for a $25 gift card