cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
5
Helpful
10
Replies

access list on svi

kolawole1
Level 1
Level 1

Hello,

I have 10 vlans created on a 4500 switch.I don't want intervlan communication ip routing is enabled.I do not want to use private vlans because i want the switch to be in vtp server mode.SVI access lists will be too long to implement for 10 vlans.Is there a simple and shorter way to enable that restriction ?

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

If you have routing enabled, and you have several svi's, all of the traffic will be able to traverse every svi on the switch. You'll need to create an acl for every svi that you want to restrict.

You can use inbound or outbound acls depending on what you want to block, but there's not a shortcut unfortunately.

HTH,

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz
Hall of Fame
Hall of Fame

Edison,

That's really cool. I'm playing around with it in gns, and it works well.

John

HTH, John *** Please rate all useful posts ***

glen.grant
VIP Alumni
VIP Alumni

If you want no intervlan communication between any vlans just remove the SVI definitions on the vlans and let it run as a layer 2 switch though I can't imagine any network that doesn't have to be routed for one reason or another . You never have to have devices talk between any of those vlans or they don't have to be routed anywhere else ?

In fact the administrator should be able to communicate with any vlans but users not.So inter vlan communication should be enabled on all vlans.

You could always take the default gateways off the clients and just use static routes to allow end clients to talk to authorised devices.

Not an elegant way, but would solve your problem.

Nice solution, thanks

But

Authorised devices the client should talk to are on the distribution switch and SVIs are created on the distribution switch.

In that case where will the route be applied ? Is it on the access switch or distribution switch?

Hi

Just to add,if u r going to remove the default gateway from the clients then make sure that u disable proxy-arp under u r svi's

Thanks

Mahmood

There is no proxy-arp command under svi.

Hello,

This will not work because connected route have AD of 0 but static route have AD of 1 and and the switch will use connected routes.With connected routes you need to define default gateway

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco