https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10343#M1371 as VLAN-1 is used for uplink, but VLAN-2 and VLAN-3 users should communicate. Tue, 13 Mar 2018 12:52:00 GMT Alok_Shukla 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10338#M1366 We have three VLAN's all are inter-VLAN routing.<BR /> VLAN-1= 10.3.1.0<BR /> VLAN-2= 10.3.2.0<BR /> VLAN-3= 10.3.5.0<BR /> My boss wants to VLAN-2 and 3 should not communicate with VLAN-1, so that's we implement a policy to disable traffic forwarding to VLAN-1.<P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="20de3869ed914b83a5ee46919b85c26d_RackMultipart20180313-123421-13boxvu-policy_inline.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/529iB9049A81C0E9C956/image-size/large?v=v2&amp;px=999" role="button" title="20de3869ed914b83a5ee46919b85c26d_RackMultipart20180313-123421-13boxvu-policy_inline.jpg" alt="20de3869ed914b83a5ee46919b85c26d_RackMultipart20180313-123421-13boxvu-policy_inline.jpg" /></span></P><BR /> <BR /> After applying this policy over VLAN-1 in ingress direction, VLAN-2 and VLAN-3 is not communicating.<BR /> <BR /> I want VLAN-2 and VLAN-3 Should communicate each other.<BR /> <BR /> Tue, 13 Mar 2018 12:26:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10338#M1366 Alok_Shukla 2018-03-13T12:26:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10339#M1367 Easier option would be to disable ip forwarding for vlan 1 Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10339#M1367 Andre_Brits_Kan 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10340#M1368 usually vlans are used to separate traffic. So from pure switching point and no bad cable based vlan translations they dont see each other. May be you implemented some routing. if so follow the proposal from alok. Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10340#M1368 Immo_Wetzel 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10341#M1369 I don't want to disable ipforwarding of vlan-1<BR /> <BR /> Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10341#M1369 Alok_Shukla 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10342#M1370 if vlan 1 should not communicate with vlan 2 what are you doing with ip forwarding ? switching will be done anyway or do you talk about an additional uplink ? Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10342#M1370 Immo_Wetzel 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10343#M1371 as VLAN-1 is used for uplink, but VLAN-2 and VLAN-3 users should communicate. Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10343#M1371 Alok_Shukla 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10344#M1372 dont get you. if vlan 2 and vlan 3 should be able to use the uplink. but the uplink connected hosts should not reach vlan 2 and 3 you need a firewall. if vlan2 and vlan 3 should not reach the uplink just disable ipforwarding for vlan 1 cos there is no need for. Tue, 13 Mar 2018 12:52:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10344#M1372 Immo_Wetzel 2018-03-13T12:52:00Z https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10345#M1373 Hi,<BR /> <BR /> you have:<BR /> <BR /> - VLAN-1= 10.3.1.0/24 <BR /> - VLAN-2= 10.3.2.0/24<BR /> - VLAN-3= 10.3.5.0/24<BR /> <BR /> and you want to block traffic from VLAN-2 to VLAN-1<BR /> then you should apply ACL on VLAN-2 on ingress like bellow:<BR /> <BR /> entry V1_block { if match all {<BR /> destination-address 10.3.1.0/24;<BR /> } then {<BR /> count traffic_to_v1;<BR /> deny;<BR /> }}<BR /> <BR /> Similar example will be for VLAN-3.<BR /> <BR /> --<BR /> Jarek Tue, 13 Mar 2018 17:41:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/acl-applying-over-vlan/m-p/10345#M1373 Jarek 2018-03-13T17:41:00Z