Re: Apply ACL on SVI from Tony Singh on 2013-11-11 (Ccielab archives 12/2013)

From: Tony Singh <mothafungla_at_gmail.com>
Date: Mon, 11 Nov 2013 23:06:37 +0000

Agree with Joe

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swacl.html

One caveat on the 3560's btw (I know yours is a 4500) but because routing is done in hardware and logging in software you don't always get the correct matches something that's always got me!

SVI ACL's are applicable to inter-vlan routing inside a switch in both directions

VACL's are applicable within the vlan broadcast domain

RACL's (physical interfaces) are applicable in both directions

PACL's beat routed ACL's if both are applied, PACL's are inbound direction only on catalyst switches

Feel free to correct me.

--
BR
Tony
> On 11 Nov 2013, at 22:05, Joe Sanchez <marco207p_at_gmail.com> wrote:
> 
> Absolutely you should be able to apply an ACL to a SVI to block traffic between Subnets.  
> 
> And have been on every Layer 3 switch I've ever touched since 2001. 
> 
> As long as your 4500 switch has a L3 supervisor your golden. 
> 
> Regards,
> Joe Sanchez
> 
> (Please excuse the brevity and spelling of this email as it was sent via a mobile smart-device.) 
> 
>> On Nov 11, 2013, at 12:09 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>> 
>> So I think you can apply Router ACLs on 4500 switches. Just an FYI, you
>> couldnt do the same on a cat 3650/3750 switches (at least the last time I
>> checked/tried).
>> 
>> Please see below for more information on the cat 4500 switches.
>> 
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html#wp1050430
>> 
>> HTH
>> 
>> Sadiq
>> 
>> 
>> On Mon, Nov 11, 2013 at 3:43 PM, Vishal Rane <vishal.rane_at_hotmail.co.in>wrote:
>> 
>>> hi
>>> 
>>> cisco 4507
>>> version 12.4
>>> 
>>> 
>>> ------------------------------
>>> Date: Mon, 11 Nov 2013 14:34:27 +0000
>>> Subject: Re: Apply ACL on SVI
>>> From: sadiqtanko_at_gmail.com
>>> To: vishal.rane_at_hotmail.co.in
>>> CC: ccielab_at_groupstudy.com
>>> 
>>> Hi Vishal,
>>> 
>>> This is not possible on some Cisco switches. It will be useful if you can
>>> specify the switch hardware and software version.
>>> 
>>> Sadiq
>>> 
>>> 
>>> On Mon, Nov 11, 2013 at 2:19 PM, Vishal Rane <vishal.rane_at_hotmail.co.in>wrote:
>>> 
>>> Hello
>>> Here is scenario for ACL on SVI
>>> plz guide with right inbond / outbond acl to apply on SVI
>>> 
>>> 
>>> office_A connect to Office_B on different floors on vlan 10
>>> need to allow inbond and outbond traffic
>>> Config of Office_A and host
>>> VLAN
>>> int vlan 10
>>> ip address 192.168.177.254 255.255.255.252
>>> Allow the following host to communicate with host of Office_B
>>> host 192.168.110 port 443
>>> host 192.168.1.16
>>> network 192.168.25.0/24
>>>   Network of Office_B
>>> allow following host to communicate with hos of Office_A
>>> 192.168.100.10  port 443
>>> 1192.168.100.17
>>> 192.168.27.0/24
>>> 
>>> 
>>> thanks
>>> Vishal
>>> 
>>> 
>>> Blogs and organic groups at http://www.ccie.net
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>> 
>> 
>> 
>> -- 
>> CCIEx2 (R&S|Sec) #19963
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> _______________________________________________________________________
>> Subscription information may be found at: 
>> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Mon Nov 11 2013 - 23:06:37 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART