access-lists on layer 3 switch

Answered Question
Dec 17th, 2009
User Badges:

Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.


Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?


I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.


Thanks,

Ben

Correct Answer by Jon Marshall about 7 years 5 months ago

benwaldon wrote:


Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.


Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?


I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.


Thanks,

Ben

Ben


An acl applied to the L3 SVI for vlan 10 would not affect traffic between hosts in the same vlan. If you want limit traffic between hosts in the same vlan then you need use a VACL (Vlan acl).


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 12/17/2009 - 16:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

benwaldon wrote:


Hello,

I am going to be installing some layer three switches. I have a question about how access-lists work in this enviornment.


Enviornment:

Single switch, uses VLAN 10. Host1 is connected to port 1 and host 2 is connected to port 2. both ports are access ports for vlan 10. can I put an acl on vlan 10 that prevents host1 from talking to host 2? In other words, does the traffic have to flow from one vlan to another for the switch to compare it against the acl?


I am pretty sure that the acl wouldn't affect the traffic, but I just want to make sure.


Thanks,

Ben

Ben


An acl applied to the L3 SVI for vlan 10 would not affect traffic between hosts in the same vlan. If you want limit traffic between hosts in the same vlan then you need use a VACL (Vlan acl).


Jon

Benjamin Waldon Thu, 12/17/2009 - 16:58
User Badges:

ooh very nice. thanks!


do you know of any white papers on virtual acls. I will do a search for it too, but if you have it handy, that would be great.


Does virtual ACLs require any specific licensing on the switch or a specific IOS version, etc?


Thanks,

Ben

Jon Marshall Thu, 12/17/2009 - 17:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

benwaldon wrote:


ooh very nice. thanks!


do you know of any white papers on virtual acls. I will do a search for it too, but if you have it handy, that would be great.


Does virtual ACLs require any specific licensing on the switch or a specific IOS version, etc?


Thanks,

Ben






Ben


When you say virtual acls do you mean vlan acls ?


If so you can use the config guides for your relevant switch and there will be examples in their. Presumably you know how to find config docs for your switch ?


Jon

Jon Marshall Thu, 12/17/2009 - 17:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ben


No problem. Forgot to answer last question. They should come as standard on your switch so no special license or specific IOS.


Jon

Actions

This Discussion

Related Content