Core switch ACL question

Answered Question
Feb 8th, 2010

I have a core switch with around 20 vlans connected.  I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this?  Is there anyway other that to apply an ACL to each SVI?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 11 months ago

jason.fraioli wrote:

I have a core switch with around 20 vlans connected.  I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this?  Is there anyway other that to create an ACL on each SVI?

Jason

You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -

access-list 101  permit ip host 192.168.5.1 host 192.168.6.1

access-list 101  deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any  <-- for all the other hosts on the 192.168.5.x network

int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/08/2010 - 11:06

jason.fraioli wrote:

I have a core switch with around 20 vlans connected.  I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this?  Is there anyway other that to create an ACL on each SVI?

Jason

You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -

access-list 101  permit ip host 192.168.5.1 host 192.168.6.1

access-list 101  deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any  <-- for all the other hosts on the 192.168.5.x network

int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in

Jon

Actions

This Discussion

Related Content