Solved: Re: Extended ACL don't work

HenryNguyen89 · ‎11-20-2022

I have this topology like this.

Vlan 116: can ping to DHCP Server (10.125.115.254)

Other Vlan (118, 120, 121) cannot ping to DHCP server, just block icmp protocol.

And my command as below:

access-list 100 permit icmp 10.125.116.0 0.0.0.255 host 10.125.115.254

access-list 100 deny icmp any host 10.125.115.254

access-list 100 permit ip any any

Then apply this ACL to port G1/0/22:

ip access-list 100 out

After that, nothing happen. All of Vlan still ping to DHCP server.

Somebody help me

MHM Cisco World · ‎11-21-2022

Yes but if the VLAN is Server VLAN so the direction must be OUT not IN

NOTE:- you can apply ACL under SVI of VLAN if the inter-VLAN done in SW not in router, if the inter-VLAN done in router then you need to apply ACL in subinterface.

View solution in original post

HenryNguyen89 · ‎11-20-2022

And DHCP server is belong to Vlan 115.

G1/0/22:

switchport mode acc

switchport acc vlan 115

ip access-group 100 out

MHM Cisco World · ‎11-21-2022

This interface is l2 so access list not work here.

Apply acl on subinterface or svi of vlan

HenryNguyen89 · ‎11-21-2022

So you mean i need to apply ACL to Vlan 115?

int vlan 115

ip access-group 100 in

Like this? Right?

MHM Cisco World · ‎11-21-2022

Yes but if the VLAN is Server VLAN so the direction must be OUT not IN

NOTE:- you can apply ACL under SVI of VLAN if the inter-VLAN done in SW not in router, if the inter-VLAN done in router then you need to apply ACL in subinterface.

HenryNguyen89 · ‎11-21-2022

Ok, it work.

Thanks man.

MHM Cisco World · ‎11-21-2022

you are so so welcome

Georg Pauwen · ‎11-21-2022

Hello,

post your zipped Packet Tracer project (.pkt) file...