I want to block the traffic from the vlans 21 and 22 on the vlan 23 without blocking 24 and 29 with an extended access list but nothing happens. I'd like to know what's wrong in my config.
Here's the acl:
Extended IP access list VISITEURS
10 permit ip any 192.168.23.0 0.0.0.255
20 permit ip any 192.168.24.0 0.0.0.255
30 permit ip any 192.168.29.0 0.0.0.255
40 permit icmp any 192.168.23.0 0.0.0.255
50 permit icmp any 192.168.24.0 0.0.0.255
60 permit icmp any 192.168.29.0 0.0.0.255
70 deny ip any 192.168.21.0 0.0.0.255
80 deny ip any 192.168.22.0 0.0.0.255
90 deny icmp any 192.168.22.0 0.0.0.255
100 deny icmp any 192.168.21.0 0.0.0.255
110 permit ip any any
The acl is applied as inbound on the vlan 23
Thanks
Best Answer
If you are applying the extended ACL inbound from VLAN 23, then you are trying to block traffic from VLAN 23 to the router. It also makes no sense to include VLAN 23 addressing in the ACL because the VLAN 23 traffic is delivered directly from host to host on the VLAN, and it doesn't pass through the router.
If you want to block traffic from other VLANs to VLAN 23, then you need an outbound ACL on VLAN 23. The
inandoutkeywords are from the perspective of the router, not the VLAN.In general, you should apply standard ACLs outbound, as close to the destination as possible, and you apply extended ACLs inbound, as close to the source as possible. In this case you could apply the extended ACL at the destination VLAN (23), but you would be unnecessarily routing the traffic from the other VLANs to the VLAN 23 interface. It will work, but it wastes router resources.
Something like:
A better solution is to place the ACL inbound on VLANs 21 and 22 to block traffic to VLAN 23. This will prevent traffic from those VLANs destined to VLAN 23 from being routed at all: