Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
679
Views
3
Helpful
4
Replies

access lists on vlans

carl_townshend
Spotlight
Spotlight

‎05-10-2006 06:25 AM - edited ‎03-05-2019 11:53 AM

Is it possible for me to apply access lists on a layer 3 vlan interface on my switch ?

cheers

Labels:
0 Helpful
4 Replies 4

atif.awan
Level 3
Level 3

‎05-10-2006 06:44 AM

Yes it is. You apply an access-list to a logical interface (L3 VLAN is a logical interface also) in the same manner that you would apply it on a physical interface.

brianprice
Level 1
Level 1
In response to atif.awan

‎05-17-2006 06:48 AM

Don't forget to reverse the regress/ingress order. In other words, ACLs on addressable physical interfaces will work in reverse of a VLAN interfaces ACL. Simply reverse the "access-group xxx (IN/OUT)" statement.

Good luck

Brian

0 Helpful

atif.awan
Level 3
Level 3
In response to brianprice

‎05-17-2006 10:05 PM

Brian,

Where did you get this information that 'ACLs on addressable physical interfaces will work in reverse of a VLAN interface ACL'?

When applying an ACL to a logical interface (SVI a.k.a VLAN) you consider it as if you are applying the ACL on a physical routed interface. The direction of the ACL is the same as if we were applying it to the physical interface. For example assume I am going to apply an ACL to prevent packets sourced from VLAN 10 hosts to a.b.c.d. In this particular case I would create an extended ACL matching source as VLAN 10 subnet and destination as a.b.c.d. This ACL will either be applied inbound on VLAN 10 or outbound on the interface that is the exit point towards a.b.c.d. If you reverse the direction (like you say) and apply it outbound on VLAN 10 this ACL will not work as no packets going out of VLAN 10 will have source of VLAN 10 subnet.

0 Helpful

abhishek_nandavat
Level 3
Level 3

‎05-17-2006 08:49 PM

Hi! Carl,

Yes it is very much possible for you to apply access list on L3 VLAN interface.

Refer the following link for the same.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801d616d.html

I hope you find it helpful.

Please rate the post if it helps.

Regards,

Abhishek

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card