Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
2
Helpful
8
Replies

Extended access list on C9300

Go to solution
guti_spain
Level 1
Level 1

‎09-17-2025 02:57 AM

Hello everyone:

I am trying to configure an extended access list on a C9300 (IOS XE 17.03.04) to allow traffic between two stations. This is the configuration of the network I'm having problems with:

network.png

Both stations are in different VLANs and switch C9300 routes traffic between them.

Station with IP 192.168.201.14 has an open port 768 and is connected to VLAN 2.

Station with IP 172.24.4.227 connects to the other station with a random source port and is connected to VLAN 3.

I am configuring an extended access-list to apply to VLAN 3 in output direction to allow station 172.24.4.227 connect to station 192.168.201.14. There are no other access-lists configured in the switch.

When there is no access-list configured, communication between both stations works properly.

When I configure the following access-list, there is no traffic from station 192.168.201.14 seen in VLAN 3 (I have used Wireshark and RMON to check this):

permit tcp host 172.24.4.227 host 192.168.201.14 eq 768

When I configure the following access-list, the traffic and communications are restored between the stations:

permit tcp host 172.24.4.227 host 192.168.201.14 eq 768

permit tcp host 192.168.201.14 eq 768 host 172.24.4.227

No matches are shown in any case with a show access-list, probably because the filtering is executed in hardware and that doesn't increase the counters. Why do you think the traffic is restored in the second case, if the ACL is applied only to output traffic from VLAN 3?

Thanks and regards,

Jordi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to guti_spain

‎09-17-2025 05:19 AM - edited ‎09-17-2025 05:23 AM

(..227)Interface- vlan 3-cpu (intervlan)- vlan2 - interface(..14) 

You need to apply it to vlan2 

Thus traffic out from vlan2 toward. 14 is permit.

Cpu can not apply ACL in interVLAN 

That why.

MHM

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎09-17-2025 03:04 AM

permit tcp host 172.24.4.227 host 192.168.201.14 eq 768 <<- this only need and apply to VLAN3 IN direction.

MHM

0 Helpful

Go to solution
guti_spain
Level 1
Level 1
In response to MHM Cisco World

‎09-17-2025 03:26 AM

Thanks for your answer, MHM. That is what I thought: I only need that line if I used an IN ACL in VLAN, but I am not using any IN ACL, so it should be enough with the first line in OUT direction:

permit tcp host 172.24.4.227 host 192.168.201.14 eq 768

I can't understand why it works adding the second rule and doesn't with the first one only, since that ACL is not filtering traffic going into VLAN 3.

In any case, I prefer to apply OUT ACL to IN ACL if possible.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to guti_spain

‎09-17-2025 03:30 AM

permit tcp host 172.24.4.227 host 192.168.201.14 eq 768 >> this can use for OUT but not in vlan3 but in vlan2 

MHM

0 Helpful

Go to solution
guti_spain
Level 1
Level 1
In response to MHM Cisco World

‎09-17-2025 05:07 AM

Thanks again MHM, but I think I'm missing something here.

  • Station 192.168.201.14 is in VLAN 2
  • Station 172.24.4.227 is in VLAN 3
  • The permit command has de format permit protocol source destination
  • I want to allow traffic from 172.24.4.227 to 192.168.201.14:768

Why should I apply permit tcp host 172.24.4.227 host 192.168.201.14 eq 768 in an OUT ACL in VLAN2 if the traffic is going out of VLAN3 from 172.24.4.227 to 192.168.201.14? 

 

0 Helpful

Go to solution
David Ruess
VIP
VIP
In response to guti_spain

‎09-17-2025 05:16 AM

Hello,

 

VLAN ACLs work in the inverse direction. An ACL applied to a VLAN in the OUT direction filters traffic INBOUND and an ACL applied IN filters traffic in the OUTBOUND direction.

 

-David

Go to solution
MHM Cisco World
VIP
VIP
In response to guti_spain

‎09-17-2025 05:19 AM - edited ‎09-17-2025 05:23 AM

(..227)Interface- vlan 3-cpu (intervlan)- vlan2 - interface(..14) 

You need to apply it to vlan2 

Thus traffic out from vlan2 toward. 14 is permit.

Cpu can not apply ACL in interVLAN 

That why.

MHM

0 Helpful

Go to solution
guti_spain
Level 1
Level 1
In response to MHM Cisco World

‎09-17-2025 05:35 AM

That flux of data is what I was missing. Books and articles I have read always apply ACL to interfaces, so I was missing what @David Ruess explained in his post, and that separation between intervlan, VLAN and interfaces in 3 layer switches.

Thank you all for your help

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-17-2025 05:15 AM

Understand the Flow and  and apply ACL where appropriate IN or OUT to get better outcome.

can we see the interface configuration how you applied the ACL on what device ?

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents