I have a PC8132F switch configured with two VLANs;
- VLAN 10 - 10.0.0.0/24
- VLAN 20 - 192.168.0.0/24
IP routing is enabled on the switch and devices on each VLAN communicate with each other as expected. I would like to apply IP ACLs so that VLAN 10 cannot access VLAN 20, but VLAN 20 can access VLAN 10. I've applied an ACL to the switch using the following commands:
access-list vl10 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list vl10 permit ip any any
interface vlan 10
ip access-group vl10
After applying, VLAN 10 is blocked from accessing VLAN 20 as intended, but VLAN 20 also loses access to VLAN 10 because the reply traffic from VLAN 10 is being blocked on return.
I've looked over the CLI Reference Guide, but can't see anything about ACLs supporting stateful/established connections to support reply traffic. Can it be done, and if so, how would I go about achieving it?
Thanks