Question : Cisco VLAN creation and ACLs

Im working on setting up a terminal server, and I want to isolate it as much as I can from the rest of my network. I have several ways of doing this, but for now I am trying to create a static VLAN on my 6500 switch that I can control with ACL's. And therin is my problem :) Im not much of a Cisco programmer, I have all of 2 weeks experience with these things. Ive managed to figure out how to create a VLAN, activate it, assign it to a port, create ACL's, and assign them to in and outgoing traffic on the VLAN interface. With ACL's in place of  ' permit ip any any ' it works fine, and a laptop I have plugged into that port and statically assigned an IP on the VLAN can ping everything on the network. The problem comes when I start to try and restrict traffic, a simple outbound rule like ' permit ip 192.2.2.2 (a theoretical host on the VLAN side) 0.0.0.0 192.1.1.1 0.0.0.0 (theoretical destination host) ' blocks everything ( /16 mask on network and VLAN). Im trying to figure out what Im missing...I will post some samples from the config in a post below.
 

Answer : Cisco VLAN creation and ACLs

The access-list is done from the point-of-view of the Catalyst 6500. So when you put an outbound access-list that means from the switch out through the VLAN interface. When you put an inbound access-list that means from somewhere outside the switch in through the VLAN interface.
If logical interfaces make it more complicated, just think in terms of a regular router that has a Serial or Ethernet interface. If you put an inbound ACL, what would you expect it to block? Traffic going into or out of the router? Into the router... right? So it's the same thing.
For the PIX it's the same thing - ACLs are from the POV of the PIX. And previous to version 7.0 of the PIX code, there was only inbound ACLs. Now they have added outbound too.
I hope this helps.