Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

access list between three interface

Hi,

We have three SVI interfaces on our core switch and we do not want each of these interface hosts to talk to one another.

SVI A : 10.10.5.0/24

SVI B: 10.10.6.0/24

SVI C: 10.10.7.0/24

I believe, we should have acl's on each SVI's which deny one another & permit rest by default.

ip access-list SVIA

deny ip 10.10.5.0/24 ip 10.10.6.0/24

deny ip 10.10.5.0/24 ip 10.10.7.0/24

ip access-list SVIB

deny ip 10.10.6.0/24 ip 10.10.5.0/24

deny ip 10.10.6.0/24 ip 10.10.7.0/24

ip access-list SVIC

deny ip 10.10.7.0/24 ip 10.10.5.0/24

deny ip 10.10.7.0/24 ip 10.10.6.0/24

interface SVI A

ip access-group SVIA in

interface SVI B

ip access-group SVIB in

interface SVIC

ip access-group SVIC in

Is this the correct configuration for achieving it.

Thanks for all help.

1 ACCEPTED SOLUTION

Accepted Solutions

access list between three interface

Yes, that's what you need. Don't forget a permit ip any any at the end or you will block all traffic.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
3 REPLIES

access list between three interface

Yes, that's what you need. Don't forget a permit ip any any at the end or you will block all traffic.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
Community Member

access list between three interface

Thanks Daniel.

If we need to allow only ping responses between the above SVI's ( but still not allowing them to actually communicate among each other), how can we do it.

ip access-list SVIC

deny ip 10.10.7.0/24 ip 10.10.5.0/24

deny ip 10.10.7.0/24 ip 10.10.6.0/24

permit ip any any

Would putting a permit ip any any take care of this? We want ping among each SVI's to other to work.

access list between three interface

You need to permit ICMP before the deny IP line then:

ip access-list extended SVIC

permit icmp 10.10.7.0 0.0.0.255 10.10.5.0 0.0.0.255

permit icmp 10.10.7.0 0.0.0.255 10.10.6.0 0.0.0.255

deny ip 10.10.7.0 0.0.0.255 10.10.5.0 0.0.0.255

deny ip 10.10.7.0 0.0.0.255 10.10.6.0 0.0.0.255

permit ip any any

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
454
Views
0
Helpful
3
Replies
CreatePlease to create content