I am wanting to put a standard ACL on an SVI which "houses" servers, permitting only allowed clients to access them.
For exinterface Vlan196
ip address 172.16.196.251 255.255.255.0
ip access-group 1 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip pim snooping
ip igmp snooping fast-leave
standby 1 ip 172.16.196.254
standby 1 timers msec 250 msec 750
standby 1 priority 200
standby 1 preempt delay minimum 240
ip access-list standard 1
10 permit 172.16.7.1
20 permit 172.16.67.1
30 permit 22.214.171.124 0.0.0.15
40 deny any log
However I have tried this and the access list doesnt work. Hosts from other Vlans are still able to ping servers on vlan 196.
Should the access list be applied outbound ? If so why because this is causing me confusion. I was under the impression that an outbound ACL is for traffic flowing "away" from the interface in an "outbound" direction, i.e to other subnets, not its own subnet.
Any help would be appreciated.
As many others, you seem to be confused about the way that the in-direction is interpreted.
IN means coming from the vlan196 which is not what is required here. Instead, you should create an extended acl like this:
acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.7.1
acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.67.1
This acl could then be applied in-bound like you are doing now.
Also, I noticed that HSRP is running on the device. That would create a second path via the other HSRP device. Please verify that this is the HSRP-active device or set the servers def-gw to the physical ip of this device (.251).
Yes this will need to be applied outbound.
Assuming the clients you want to allow access to the servers are on 172.16.7.1 and 172.16.67.1 and 126.96.36.199 0.0.0.15, then you would apply outbound.
If you think of yourself being IN the router, then when servers send traffic out onto the network, they send it to their default gateway, which is the SVI, therefore this comes to you INBOUND, and vice versa, when clients from another subnet send to servers, it comes to another SVI first, then goes OUTBOUND towards servers.
The acl would need to be an extended acl also, so you specify the source ip's.