I have a network based on (mostly)C3560G switches using L3 and OSPF everywhere except at the access ports where servers are connected. I was planning to use ACLs to restrict packet flow through the router part of the switches. I don't care about the packet flow in the L2 VLANs.
I was planning on dumping the unwanted packets based on source ip adress, and dumping them at the destination network(entry-point at the destination network). I have several networks (ip interfaces) configured at each access switch, and the ACL's are access-group'ed to the (SVI)interfaces on the access switches.
I have attached a sample-configuration (from a C3550), the Gigabit interfaces are the L3 uplink configured with OSPF
I have 2 questions, if anyone can be so kind as to explain :)
1) The ACLs need to be "ip access-group xx out" to be working in the "inbound" direction, when applied to a SVI? This goes beyond my logic? Can anyone tell me why?
2) The ACL at interface Vlan102 is not working, a host with ip 10.7.0.2 using 10.7.0.1 as gateway has full access to a host with ip 10.16.2.2. (The aim was to discard the packet if it doesn't match the ACL and as so I was expecting the reply-packet from 10.16.2.2 to be discarded, but it doesn't get discarded)
The ACLs at VLANs 103 and 104 are functioning as needed dropping packets from networks not matching the ACL (eg. 10.16.2.2)
Has anybody found the holy grail on these issues?
Thanks in advance (I cannot figure out what is wrong here) ..