Showing results for 
Search instead for 
Did you mean: 

VLAN ACLs not working


My VLAN access lists no longer work. Initially, they did, but now they have no effect.


The setup is on a 3750X and looks like this:

VLAN 300

IP address

ip access-group V3S out



ip access-list standard V3S

1 permit

2 permit

10 deny

50 permit any


The logic is that .23 and .24 are admin IP and will always be allowed.

Everyone is by default allowed except when required to be denied (like the case entry 10).

Problem is that the ACL has no effect. .33 is not denied, although matches are shown on V3S. .33 still has full access anywhere,


So what is wrong in here ?


I have tested this with VLAN MAP and it works, but just wondering if the simple method above should of worked too or is it mandatory to use the MAP system on VLANS.

7 Replies 7

Elliott Willink

Without knowing how you are testing or what you are trying to access as far as traffic egressing the vlan, what you are trying to achieve here is block traffic on Vlan300 from communicating with anything outside of it - What you want to do is apply your access-list inbound to Vlan300.  The one thing that is certain is that any host on Vlan 300, if it wants to communicate outside the vlan, will need to come in to the router on the interface Vlan300.

Flip the access-group to be an access-group V3S in and you should be good to go.


Hello Elliott.

It was inbound and I have changed to out outbound exactly because it did not work correctly.


Marshall, I am trying to deny certain IPs to enter the network (the specific VLAN and further on).


I tested both methods: inbound, that in theory should of denied the IPs from going into the VLAN and outbound - letting them into VLAN but not further - both did not work.


As for extended MAC ACLs - I tried that and it does not support line numbering so it prevents me from doing what I want. So if I deny MAC 1, MAC 2 and then permit the rest and later on want to add another MAC I will have to re-write the whole ACL.

P.S. I need those 2 because it is possible to be necessary to deny groups of hosts of all of them (.0 /.255) and device access is currently done through this VLAN so denying all would prevent me from accessing it if the 2 admin IPs are not there at the start of the list. 

I don't know whether it will make a difference but I have always used extended acls for this sort of thing.

Try changing your acl to an extended one and then apply inbound and see if it works.


There's nothing else in the cfg that would interfere.

It is the only ACL in it.


Could try extended IP ACL, but does that offer me line numbers or will it act like the MAC extended ?

It should give you the option of line numbers using a named extended acl.

If that doesn't work then there must be something else going on.


Can you post the whole config? It is a relatively straight-forward ACL so maybe there is something else going on.

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Not sure what you are trying to do.

Are you trying to control which IP subnets can be accessed from the 10.11.12.x devices ?

Edit - I agree with Elliott (just seen his post).

Also you don't need permits for the specific hosts if you are permitting any at the end of your acl.

Finally, it is personal preference but I always use extended acls for this kind of thing.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers