Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

VACL filetring on the same VLAN...again

This thread has been viewed 16 times
  • 1.  VACL filetring on the same VLAN...again

    Posted Aug 12, 2022 07:52 AM
    Okay, I have the same problem as in this thread on a 2930f with 16.11.0005:

    VACL filtering within same VLAN

    So I have this ACL
    ip access-list extended "notworking"
         10 deny ip log
         11 deny ip log
         20 deny ip log
         30 deny ip log
         31 deny ip log
         32 deny ip log
         99 permit ip

    and its applied to the vlan with scope

    vlan 22
    ip access-group "notworking" in

    I even added row 20 for sh*ts and giggles (I have a client on that vlan on the switch with ip, but I still can ping between clients on that vlan,

    Without the ACL the clients on that switch in that vlan can ping everything freely. With the ACL they can no longer ping anything else on the other vlans now (nor the other internal addresses in the ACL, as intended), They can't even ping the gateway for that vlan (, which is also fine, becuase everything seems to work anyway. But what has me totally boggled is that the clients can still freely ping each other, including to and from the client on
    Same result when I apply the ACL to out, and both in/out.

    So what am I missing?

    The switch has routing enabled and routes all other traffic the to ISP router (so just the one row "ip route [isp router ip]").

  • 2.  RE: VACL filetring on the same VLAN...again
    Best Answer

    Posted Aug 12, 2022 09:22 AM

    This ACL is applied as routed ACL (in) at the moment and it will be only filtering routed traffic. That means traffic with source in VLAN 22 and destination in other VLANs.

    vlan 22
    ip access-group "notworking" in​

    In order for the ACL to filter routed and switched traffic as well it has to be applied as VACL with the key word "vlan-in"

    vlan 22
    ip access-group "notworking" vlan-in

    It seems you have tested the options in/out but don't mention vlan-in. Is this option not available in the CLI?

  • 3.  RE: VACL filetring on the same VLAN...again

    Posted Aug 12, 2022 09:32 AM
    Oh my god. I saw vlan-in being mentioned in the other thread, but thought it was an older version of "in"..I suspected it might be something related to the internal routing, but have not managed to find any info on the subject (and not seen / missed the mentions of vlan-in) in the references I did google up.

    I can't believe I've missed it in the tab completions though!
    Thank you very much!!!