LAN Routing
Showing results for 
Search instead for 
Did you mean: 

deny communication in same vlan on 2930M-48G

Occasional Advisor

deny communication in same vlan on 2930M-48G

Hello everybody,

in my network i have 10 Vlan's.  Host is in Vlan 152(Vlan IP: ).  in this Vlan there are 10 host's, so should not have access to other host, only with host:  

Ip routing is enabled on switch.

I've tried with ACL do that but doesn't work.

 ip access-list extended VL152

# Deny ip host any 

# Permit ip host host

any Idea ??




Re: deny communication in same vlan on 2930M-48G


The first thing that may be a problem is the order of the ACL rules. The rules are processed top down and as soon as a rule is matched the action is performed and the remaining rules are not evaluated. For this reason you should put more specific rules at the top of the ACL.

In your case you have deny ip host any  as a first rule and permit ip host host as a second rule.

The first rule is more general and it catches packets matching the second rule. So if a packet with source IP and destination IP is seen by the switch only the first rule (deny) will be triggered and the packet denied. So you should reverse the order.

You are not writing if this ACL was applied (ip access-group command), how it was applied. You can apply it on a physical port or a VLAN. Inbound or outbound direction. On a VLAN you can apply it to routed or switched traffic. Many things depend on how the ACL was applied.

You should also keep in evaluate if your ACL should be permitting traffic in both directions or only in one. If you are allowing traffic from A to B, it doesnt mean that traffic from B to A is also allowed. But this also depends on where the ACL is applied and in which direction.

If you want to learn more about the ACLs on the 2930 switches, you can check the Access Security Guide, Chapter 12 Access Control List.

Please note that there may be another way to achieve what you want. You can filter traffic based on port number and not IP addressing. If you have a single host per port this may also be an option, please check in the same manual chapter 25 Source port filter.

I am an HPE employee

Accept or Kudo

Honored Contributor

Re: deny communication in same vlan on 2930M-48G


ACLs are used against traffic routed incoming/outgoing related VLANs (inter-VLANs) and don't apply for traffic among hosts within the very same bad...with VLAN ACL it's possible...eventually document yourself about the alternate Private VLAN technique used to segregate traffic between hosts residing into a particular VLAN.

Have a look here.

I'm not an HPE Employee
Kudos and Accepted Solution banner
Occasional Advisor

Re: deny communication in same vlan on 2930M-48G

thank you for your reply,

yes with private VLAN it is ok. 

but i'm looking for a easier way. i have test this ACL and that works.

ip access-list extended "VLin"
10 deny ip 
20 permit ip any any

so in VLAN 152 :

ip acces-gr VLin vlan-in 

I'm wait to config and test other things too an then we'll see .  I'll let you know .

thank you again