access list on svi

Unanswered Question
May 20th, 2009


I have 10 vlans created on a 4500 switch.I don't want intervlan communication ip routing is enabled.I do not want to use private vlans because i want the switch to be in vtp server mode.SVI access lists will be too long to implement for 10 vlans.Is there a simple and shorter way to enable that restriction ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
John Blakley Wed, 05/20/2009 - 13:43

If you have routing enabled, and you have several svi's, all of the traffic will be able to traverse every svi on the switch. You'll need to create an acl for every svi that you want to restrict.

You can use inbound or outbound acls depending on what you want to block, but there's not a shortcut unfortunately.



John Blakley Wed, 05/20/2009 - 16:23


That's really cool. I'm playing around with it in gns, and it works well.


glen.grant Wed, 05/20/2009 - 16:59

If you want no intervlan communication between any vlans just remove the SVI definitions on the vlans and let it run as a layer 2 switch though I can't imagine any network that doesn't have to be routed for one reason or another . You never have to have devices talk between any of those vlans or they don't have to be routed anywhere else ?

kolawole1 Fri, 05/22/2009 - 01:30

In fact the administrator should be able to communicate with any vlans but users not.So inter vlan communication should be enabled on all vlans.

cbeswick Fri, 05/22/2009 - 01:58

You could always take the default gateways off the clients and just use static routes to allow end clients to talk to authorised devices.

Not an elegant way, but would solve your problem.

kolawole1 Fri, 05/22/2009 - 07:20

Nice solution, thanks


Authorised devices the client should talk to are on the distribution switch and SVIs are created on the distribution switch.

In that case where will the route be applied ? Is it on the access switch or distribution switch?

mahmoodmkl Fri, 05/22/2009 - 11:49


Just to add,if u r going to remove the default gateway from the clients then make sure that u disable proxy-arp under u r svi's



kolawole1 Fri, 05/22/2009 - 11:45


This will not work because connected route have AD of 0 but static route have AD of 1 and and the switch will use connected routes.With connected routes you need to define default gateway


This Discussion