I have 5 departments each with it's own vlan and i want some of them to ping some of them, and only want some of them to ping some of them back. Basically creating a hierarchy of vlans.
Concretely, i need
vlan10 to ping all the other vlans vlan20 to ping all the other vlans vlan30 to only ping vlan50 vlan40 to only ping vlan30 and vlan 50 vlan50 to ping none (only it's own vlan) so to let vlan20 ping all the vlans and block vlan30, vlan40, and vlan50 from pinging it back, i did this
ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN20_IN remark Block ICMP echo requests to VLAN 20 deny icmp any 172.16.32.0 0.0.31.255 echo remark Permit all other traffic, including ICMP echo reply permit ip any any ! interface FastEthernet0/0.3 description FINANCA VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in ! interface FastEthernet0/0.4 description ADMIN VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in ! interface FastEthernet0/0.5 description OTHERS VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in ! that works, but now if i want to do the same for vlan10 the first one gets cancelled, and i can still ping from vlan30, 40 and 50 to vlan20.
ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN10_IN deny icmp any 172.16.0.0 0.0.31.255 echo permit ip any any ! interface FastEthernet0/0.3 description FINANCA VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in ! interface FastEthernet0/0.4 description ADMIN VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in ! interface FastEthernet0/0.5 description OTHERS VLAN ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in ! Switch Configuration
interface FastEthernet0/1 switchport access vlan 10 ! interface FastEthernet0/2 switchport access vlan 20 ! interface FastEthernet0/3 switchport access vlan 30 ! interface FastEthernet0/4 switchport access vlan 40 ! interface FastEthernet0/5 switchport access vlan 50 ! interface FastEthernet0/6 switchport mode trunk . . . . interface Vlan1 no ip address shutdown ! interface Vlan10 mac-address 0004.9aeb.4a01 ip address 172.16.0.100 255.255.224.0 ! interface Vlan20 mac-address 0004.9aeb.4a02 ip address 172.16.32.100 255.255.224.0 ! interface Vlan30 mac-address 0004.9aeb.4a03 ip address 172.16.64.100 255.255.224.0 ! interface Vlan40 mac-address 0004.9aeb.4a04 ip address 172.16.96.100 255.255.224.0 ! interface Vlan50 mac-address 0004.9aeb.4a05 ip address 172.16.128.100 255.255.224.0 Router Configuration
Router Running Config - interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 10 ip address 172.16.0.50 255.255.224.0 ip access-group 1 in ! interface FastEthernet0/0.2 encapsulation dot1Q 20 ip address 172.16.32.50 255.255.224.0 ip access-group 1 in ! interface FastEthernet0/0.3 encapsulation dot1Q 30 ip address 172.16.64.50 255.255.224.0 ! interface FastEthernet0/0.4 encapsulation dot1Q 40 ip address 172.16.96.50 255.255.224.0 ! interface FastEthernet0/0.5 encapsulation dot1Q 50 ip address 172.16.128.50 255.255.224.0 
no ip access-group 1 inon those interfaces. Make a different ACL for each of the other interfaces that blocks in the way you want, and assign the ACLs to those interfaces.