Showing results for 
Search instead for 
Did you mean: 


Ethan and Mia

Hi , i am learning ccna , so i am newbie on ACL Lab , facing somecissue

We have 2 vlan on L3 switch configuration as below

On L3 switch 

Vlan 10

Vlan 20

And we have 2 PCSs

Pc1 Vlan10

Pc2 vlan20


How to command to deny vlan20 to communicate vlan10 ?

But vlan10 can communicate to vlan20.

Thank you





3 Replies 3


You can accomplish this by creating an extended access-list and applying it to the interface that connects the two VLANs. Here's an example of the commands you would use:

  1. Create the access-list:


switch(config)# access-list 100 deny ip
switch(config)# access-list 100 permit ip any any


This access-list will deny all IP traffic from the VLAN20 network ( to the VLAN10 network (, but allow all other traffic.

  1. Apply the access-list to the interface that connects the two VLANs:


switch(config)# interface [interface-name]
switch(config-if)# ip access-group 100 in


Replace [interface-name] with the name of the interface that connects the two VLANs (e.g. GigabitEthernet0/1).

  1. Verify the access-list is working correctly by trying to ping from PC2 on VLAN20 to PC1 on VLAN10 and vice versa, and check the show access-list command to see if the access-list is hit or not


switch# show access-list


This will deny communication between VLAN20 and VLAN10 but allow VLAN10 to communicate with VLAN20.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,

Assuming you want two way communication, @khorram1998's ACL will block that too.

For two way, you'll need to use a reflexive ACL.


My earlier reply was done on my phone, now, on my PC, I'll elaborate a bit further.

OP has:

"How to command to deny vlan20 to communicate vlan10 ?

But vlan10 can communicate to vlan20."

How do yo define communication?  Communication can be strictly unidirectional, including on networks, but often, especially on networks, bidirectional traffic is required.

For example, with an ACL like @khorram1998 posted, VLAN 10 could send a UDP packet VLAN 20, but VLAN 20 cannot send anything to VLAN 10.  If this is your goal, what @khorram1998 posted works fine.

But for another example, VLAN 10 want to send a file to VLAN 20, using tftp.  Although tftp, itself, uses UDP packets, the tftp application does expect its own protocol ACKs that what it sent was actually received.  As the ACL @khorram1998 provided, blocks all traffic from VLAN 20 to VLAN 10, tftp wouldn't work.  Similar issue for FTP and many other protocols.

It's certainly possible, in some, but perhaps not all, cases, you can add ACEs to @khorram1998's ACL allowing for specific kinds of return traffic.  Assuming you can do this for the particular protocols you want to support, the ACL can expand, in ACEs, as you support every specific case.  Further, the ACL would permit VLAN 20 to initiate traffic that looks like response traffic, but it might not be such traffic.

Perhaps a "better" solution is using a reflexive ACL, as I mentioned in my prior post.  In brief, this would allow VLAN 10 to send traffic to VLAN 20 but only accept VLAN 20 traffic if it appears to be in response to something VLAN 10 sent to VLAN 20.  VLAN 20, though, would be blocked from sending unexpected traffic to VLAN 10.

Again, much depends on how you need to "communicate".

More info, about reflexive ACLs:

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers