ACL (SVI)

Answered Question
Jan 26th, 2009

Can you advise how to setup the below ACL on a layer3 switch.

Requirement:

1. Block all telnet and ssh traffic in/out of VLAN 100

2. permit all other traffic

interface vlan 100

ip address 10.201.144.2 255.255.255.0

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 10 months ago

Colm

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23

access-list 101 permit ip any 10.201.144.0 0.0.0.255

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23

access-list 102 permit ip 10.201.144.0 0.0.0.255 any

interface vlan 100

ip access-group 101 out

ip access-group 102 in

The direction they are applied may look a bit couterintuitive but remember

1) inbound on an SVI is traffic coming from that subnet

2) outbound on SVI is traffic going to that subnet

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 01/26/2009 - 09:08

Colm

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 22

access-list 101 deny tcp any 10.201.144.0 0.0.0.255 eq 23

access-list 101 permit ip any 10.201.144.0 0.0.0.255

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 22

access-list 102 deny tcp 10.201.144.0 0.0.0.255 any eq 23

access-list 102 permit ip 10.201.144.0 0.0.0.255 any

interface vlan 100

ip access-group 101 out

ip access-group 102 in

The direction they are applied may look a bit couterintuitive but remember

1) inbound on an SVI is traffic coming from that subnet

2) outbound on SVI is traffic going to that subnet

Jon

cisco_lite Sun, 02/08/2009 - 07:15

Is it necessary to define & apply outbound acl if an inbound acl is already applied to the SVI.

Jon Marshall Mon, 02/09/2009 - 09:40

Depends what you are trying to do.

vlan 10 = 192.168.5.0/24

access-list 101 deny tcp 192.168.5.0 0.0.0.255 any eq 23

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

int vlan 10

ip address 192.168.5.1 255.255.255.0

ip access-group 101 in

So the above config does 2 things

1) It stops any machine on vlan 10 intiating a telnet connect to any other machine on another subnet

2) It then allows all traffic from any machine on vlan 10 to any other machine. All traffic is any IP traffic other than telnet.

What this access-list does not do is stop any machine on any subnet (other than vlan 10) initiating a telnet connection to machines in vlan 10. If you wanted to do that -

access-list 102 deny any 192.168.5.0 0.0.0.255 eq 23

access-list 102 permit ip any 192.168.5.0 0.0.0.255

int vlan 10

ip access-group 102 out

So it entirely depends on what traffic you are trying to restrict and in which direction.

Jon

Actions

This Discussion