Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

access list on svi

Hello,

I have 10 vlans created on a 4500 switch.I don't want intervlan communication ip routing is enabled.I do not want to use private vlans because i want the switch to be in vtp server mode.SVI access lists will be too long to implement for 10 vlans.Is there a simple and shorter way to enable that restriction ?

10 REPLIES

Re: access list on svi

If you have routing enabled, and you have several svi's, all of the traffic will be able to traverse every svi on the switch. You'll need to create an acl for every svi that you want to restrict.

You can use inbound or outbound acls depending on what you want to block, but there's not a shortcut unfortunately.

HTH,

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Bronze

Re: access list on svi

Re: access list on svi

Edison,

That's really cool. I'm playing around with it in gns, and it works well.

John

HTH, John *** Please rate all useful posts ***
Purple

Re: access list on svi

If you want no intervlan communication between any vlans just remove the SVI definitions on the vlans and let it run as a layer 2 switch though I can't imagine any network that doesn't have to be routed for one reason or another . You never have to have devices talk between any of those vlans or they don't have to be routed anywhere else ?

Community Member

Re: access list on svi

In fact the administrator should be able to communicate with any vlans but users not.So inter vlan communication should be enabled on all vlans.

Community Member

Re: access list on svi

You could always take the default gateways off the clients and just use static routes to allow end clients to talk to authorised devices.

Not an elegant way, but would solve your problem.

Community Member

Re: access list on svi

Nice solution, thanks

But

Authorised devices the client should talk to are on the distribution switch and SVIs are created on the distribution switch.

In that case where will the route be applied ? Is it on the access switch or distribution switch?

Re: access list on svi

Hi

Just to add,if u r going to remove the default gateway from the clients then make sure that u disable proxy-arp under u r svi's

Thanks

Mahmood

Community Member

Re: access list on svi

There is no proxy-arp command under svi.

Community Member

Re: access list on svi

Hello,

This will not work because connected route have AD of 0 but static route have AD of 1 and and the switch will use connected routes.With connected routes you need to define default gateway

413
Views
5
Helpful
10
Replies
CreatePlease to create content