https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149630#M34665 <P>I have a core switch "<SPAN>HP 8206"</SPAN> connected through vlan 2 to an isp router which in turn connects me to my branch on subnet 192.168.2.1/24 through an isp router, im trying to control my vlan 1 traffic 192.168.1.1/24 to vlan 2 through an access list on the vlan 1 interface but it simply isn't working even after trying ip access-group acl in,out,vlan please help</P><P>ip access-group extended test<BR />Deny ip 192.168.1.25 255.255.255.255 192.168.2.7 255.255.255.255<BR />Permit ip any any</P><P>vlan 1<BR />name "Server-VLAN"<BR />untagged Trk45<BR />ip address 192.168.1.1 255.255.255.0</P><P>ip access-group test in</P><P><BR />vrrp vrid 1<BR />virtual-ip-address 192.168.1.1<BR />priority 255<BR />enable<BR />exit</P><P>&nbsp;</P> Thu, 23 Sep 2021 15:38:03 GMT dmsman 2021-09-23T15:38:03Z https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149630#M34665 <P>I have a core switch "<SPAN>HP 8206"</SPAN> connected through vlan 2 to an isp router which in turn connects me to my branch on subnet 192.168.2.1/24 through an isp router, im trying to control my vlan 1 traffic 192.168.1.1/24 to vlan 2 through an access list on the vlan 1 interface but it simply isn't working even after trying ip access-group acl in,out,vlan please help</P><P>ip access-group extended test<BR />Deny ip 192.168.1.25 255.255.255.255 192.168.2.7 255.255.255.255<BR />Permit ip any any</P><P>vlan 1<BR />name "Server-VLAN"<BR />untagged Trk45<BR />ip address 192.168.1.1 255.255.255.0</P><P>ip access-group test in</P><P><BR />vrrp vrid 1<BR />virtual-ip-address 192.168.1.1<BR />priority 255<BR />enable<BR />exit</P><P>&nbsp;</P> Thu, 23 Sep 2021 15:38:03 GMT https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149630#M34665 dmsman 2021-09-23T15:38:03Z https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149631#M34666 <P>Hi&nbsp;<a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/2050312">@dmsman</a>&nbsp;!</P><P>This ACL should deny traffic sourced from single IP&nbsp;<SPAN>192.168.1.25 to single IP&nbsp;192.168.2.7, the rest is allowed. Is it really what you need to achieve? Just block IP traffic between those two single IP addresses?</SPAN></P><P>&nbsp;</P> Wed, 22 Sep 2021 05:51:19 GMT https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149631#M34666 Ivan_B 2021-09-22T05:51:19Z https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149641#M34667 <P>no this isn't the full acl this is just an example , the thing is the traffic is stil going as the acl isnt there</P> Wed, 22 Sep 2021 07:43:39 GMT https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149641#M34667 dmsman 2021-09-22T07:43:39Z https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149663#M34668 <P>You need to be sure your hosts in Vlan 1 are using&nbsp;<SPAN>192.168.1.1 as default gateway.</SPAN></P><P><SPAN>Another issue, sorry, I've overlooked it - you are using subnet masks in the ACL while you must use wildcard masks instead:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">ip access-group extended test Deny ip 192.168.1.25 0.0.0.0 192.168.2.7 0.0.0.0 Permit ip any any</LI-CODE><P>&nbsp;</P><P>Thus, if you want to block the whole subnet and the subnet has /24 mask (255.255.255.0), then the correct wildcard mask will be 0.0.0.255</P><P>&nbsp;</P> Wed, 22 Sep 2021 11:26:59 GMT https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7149663#M34668 Ivan_B 2021-09-22T11:26:59Z https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7150062#M34672 <P>-please is there a way to find hits on the access list on the vlan when i use access-group in or out? i could only find hits using&nbsp;<EM>show statistics aclv4</EM><SPAN>&nbsp;</SPAN><EM>vlan</EM><SPAN>&nbsp;x&nbsp;</SPAN><EM>vlan</EM></P><P><EM>-what is the difference between access-group in/out/vlan?</EM></P> Sun, 26 Sep 2021 06:01:34 GMT https://community.hpe.com/t5/switches-hubs-and-modems/access-list-on-a-vlan-interface-wont-work/m-p/7150062#M34672 dmsman 2021-09-26T06:01:34Z