Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

One quick access-list question

Dear all,

I have one quick question, let say I created two extended access-list on a switch and apply one in the VLAN SVI interface and another one apply at the host interface end, which access-list will it take effect?

Example:-

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

end

interface FastEthernet0/10

switchport mode access

switchport access vlan 10

ip access-group 101 in

spanning-tree portfast

spanning-tree bpduguard enable

end

So which access-list will port Fa0/10 follow and take effect? access-list 100 or access-list 101? or BOTH ?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

One quick access-list question

Hi,

I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.

To verify this you can do sh access-list to see hits or add the  log keyword  to the ACLs.

Regards.

Alain

Don't forget to rate helpful posts.
2 REPLIES
Purple

One quick access-list question

Hi,

I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.

To verify this you can do sh access-list to see hits or add the  log keyword  to the ACLs.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

One quick access-list question

Dear Alain,

I have test it out and you're correct, the inbound traffic will first be check by the port access-list and if it's permitts then it will be check by the SVI interface access-list as well, so the both ACL's some sort of in "combined".

Thanks again

226
Views
0
Helpful
2
Replies
CreatePlease to create content