I have VLAN500 on a 6509, with a network of 172.17.x.x and I want to apply an extended ACL to allow any host on that VLAN to telnet to a host on VLAN 600 (network 17.16.x.x). So I created the following ACL
Extended IP access list VLAN500
permit tcp any host 172.16.8.53 eq telnet
and added this line to the VLAN500 interface:
ip access-group VLAN500 out
And it didn't work, until I changed the interface statement to:
ip access-group VLAN500 in
And it really doesn't make sense to me that I would have to apply it in. Why wouldn't I apply it out since any host on the local VLAN can telnet out to a host on another VLAN? If anyone can explain this to me, it would be appreciated. Thanks in adavance.
Thanks for the reply. I am begining to understand the concept. One more thing. What is the best way to apply this specific filter? I could write one way and apply OUT or write it another and apply it IN. But I'm not sure which would be best.
The way you are applying is good. Applying to the vlan500 interface will preserve router resources because the action is happening at the entry point itself. Had it been applied to the VLAN 600 in the OUT direction, all these packets would traverse the router all the way upto the VLAN600 interface only to be dropped if those are not from VLAN500.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...