I have a couple of queries about the way ACLs work on Cisco Layer 3 switches... Namely a Cisco 6509 with IOS 12.2(18)
We have a number of VLANs running on the device and after creating a new 'Management' VLAN, we wanted to restrict access to this VLAN so only 2 out of our 20+ other VLANs could access the devices within.
Now, sounds fairly simple to me. BUT, we could only get it to work properly if we denied access form ALL 18 of ther other VLAN interfaces and not by placing a much smaller ACL at the Destination VLAN interface.
Does this make sense? Can anyone tell me if they should work the same as a PIX/Router ACL? Here is an example:
The Management VLAN is VLAN 8 with a network address of 172.17.1.0/24, the ACL is 180. Lets say we want to allow networks 172.23.80.0/24 and 172.19.0.0/16 to access the new VLAN, but NO others.
access-list 180 permit ip 172.23.80.0 0.0.0.255 172.17.1.0 0.0.0.255
access-list 180 permit ip 172.19.0.0 0.0.255.255 172.17.1.0 0.0.0.255
access-list deny ip any any
int vlan 8
ip access-group 180 in
Would this be on the right lines or am i missing something?