Re: Struggle to add ACL to VLAN Interface

infin3ty1988 · ‎08-09-2021

Hi all,

I have a cisco WS-C2960X-24TS-L here with multiple vlans, now i want to isolate one vlan

for example VLAN 12.

I want to configure that only subnet 192.168.1.0/24 can connect to a single host in vlan 12 let's say 192.168.5.1

Does this looks ok?

access-list 101 remark vlan12 access list
permit tcp 192.168.1.0 0.0.0.255 host 192.168.5.1 eq 20256
permit icmp any 192.168.5.1 echo-reply
deny ip any any

interface vlan 12
IP access-group 101

Giuseppe Larosa · ‎08-09-2021

Hello @infin3ty1988 ,

the inbound direction on the SVI interface is that of the packets sent to it from the hosts in the VLAN 12 so if you apply the ACL inbound and 192.168.5.0/24 is the locally connected subnet your ACL needs to be reversed.

access-list 102 permit tcp host 192.168.5.1 eq 20256 192.168.1.0.0.0.0.255

access-list 102 permit icmp host 192.168.5.1 any

access-list 102 deny ip any any

int vlan 12

ip address 192.168.5.X 255.255..255.0

ip access-group 102 in

Hope to help

Giuseppe

paul driver · ‎08-10-2021

Hello
Just like to add the ACL SVI logic
IN-= Traffic originated from within the VLAN
OUT = IN-= Traffic towards the VLAN

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul