Function principle of VLAN ACLs M4100

JohnC_V 

Hi John,

thanks for welcoming me.

Sorry, your answer wasn´t helping much. But I think I can point to the source of my problem much clearer now:

• Port-bound ACLs work as a filter for packages that "leave" the VLAN towards the switch (inbound rules from the switch perspective).
• VLAN-bound ACLs additionally seem to work as a filter for packages coming from the switch "entering" the VLAN (outbound from the switch perspective).

Is this, how it works? That would explain the behaviour that I encountered (an ACL that works fine when bound to a Port doesn´t work as intended when bound to a VLAN). The Reason for this being that said ACL does only have rules for traffic "leaving" the VLAN but not for traffic "entering" the VLAN.

Oversimplified Example:

x.x.10.1 in VLAN10 wants to reach x.x.20.1 in VLAN20 and wants an answer.

Port bound ACL for VLAN 10:

Permit x.x.10.1 0.0.0.0    x.x.20.1 0.0.0.0

Traffic leaving the VLAN10 is controlled (rule on the switch works inbound) and entering traffic to VLAN10 -like the answer of the device in VLAN20- is permitted anyway (outbound from the switch).

In a VLAN bound ACL I would have to add another line so that the answer of the device in VLAN20 is accepted and transferred to the recipient in VLAN10:

Permit x.x.10.1 0.0.0.0    x.x.20.1 0.0.0.0

Permit x.x.20.1 0.0.0.0    x.x.10.1 0.0.0.0

Both traffic from VLAN to switch and traffic from Switch to VLAN need to be explicitly permitted by the ACL otherwise the answer of 10.10.20.1 won´t go through.

Is this how VLAN bound ACLs work?

Best regards,

Kim