Create An ACL To Allow Unidirectional Communication Between Multiple VLANs

By esupport posted Mar 30, 2020 02:14 PM


How can I create an ACL to allow unidirectional traffic in a VLAN?

I want to create a VLAN that blocks traffic in only one direction.


Issue:  Block traffic in the Untrusted VLAN in only one direction.

  1. Allow devices in the Untrusted VLAN to access the Internet. 
  2. Do not allow these untrusted devices to communicate with anything else outside their own VLAN.
  3. However, allow devices from all other VLANs to initiate communications with devices in the Untrusted VLAN.


In this example, there will be three VLANs:
VLAN 10 – 192.168.10.x /24 (Server VLAN)
VLAN 20 – 192.168.20.x /24 (Workstations VLAN)
VLAN 30 – 192.168.30.x /24 (Untrusted VLAN)

IP Routing is enabled on the switch to allow all VLANs to communicate with each other.

VLAN 30 (Untrusted VLAN) should only allow traffic to the Internet and cannot access devices in any other VLAN.
All other VLANs (10 and 20) should be able to ping and initiate traffic (such as RDP) to devices in VLAN 30.

In order to accomplish this, you need to allow communications from other VLANS back into VLAN 30 in order to allow bidirectional functionality.

  1. Start by making an extended ACL.  Here is an extended ACL called UNTRUSTED which will allow bidirectional traffic that is initiated from VLANs 10 and 20.

    ip access-list extended UNTRUSTED
    permit tcp any established
  • The word “established” at the end of this ACL means that traffic initiated from anywhere outside of VLAN 30 is permitted and will allow VLAN 30 devices to communicate back to the initiator.
  1. Next allow the devices in VLAN 30 to reply to pings initiated from devices outside their VLAN.

permit icmp any echo-reply

  • The “echo-reply” allows devices in VLAN 30 to reply to ping and other ICMP traffic requests.
  1. Next deny VLAN 30 traffic from going to the other VLANs

deny ip
deny ip

  1. Next allow VLAN 30 traffic to get to the Internet

permit ip any

  1. Next deny all other traffic (for more security)

deny ip any any


The “UNTRUSTED” ACL, should now look like this:

ip access-list extended UNTRUSTED
  permit tcp any established
  permit icmp echo-reply
  deny ip
  deny ip
  permit ip any
  deny ip any any

  1. Apply this ACL inbound on VLAN 30

Interface vlan 30
ip access-group UNTRUSTED in

1 view