Core switch ACL question

Answered Question
Feb 8th, 2010
User Badges:

I have a core switch with around 20 vlans connected.  I need to be able to do the following:


1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.


What is the easiest way to do this?  Is there anyway other that to apply an ACL to each SVI?

Correct Answer by Jon Marshall about 7 years 3 months ago

jason.fraioli wrote:


I have a core switch with around 20 vlans connected.  I need to be able to do the following:


1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.


What is the easiest way to do this?  Is there anyway other that to create an ACL on each SVI?


Jason


You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -


access-list 101  permit ip host 192.168.5.1 host 192.168.6.1

access-list 101  deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any  <-- for all the other hosts on the 192.168.5.x network


int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/08/2010 - 11:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jason.fraioli wrote:


I have a core switch with around 20 vlans connected.  I need to be able to do the following:


1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.


What is the easiest way to do this?  Is there anyway other that to create an ACL on each SVI?


Jason


You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -


access-list 101  permit ip host 192.168.5.1 host 192.168.6.1

access-list 101  deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any  <-- for all the other hosts on the 192.168.5.x network


int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in


Jon

Actions

This Discussion

Related Content