I'm pretty sure this is the conclusion I came to several weeks ago and then forgot but could someone please confirm that ACLs won't work internal to the switch and by that I mean if I ping using the switches PING function from one VLAN int to another VLAN int. ACLs only work on ingress and that means from devices/hosts physically external to the switch inbound to the switch and when I ping from diagnostics in the switch from one vlan to another there is no ingress since this is internal to the switch and although one would think that you're pinging out of one vlan and "in" to another that's not consider ingress since that's an internal ping and really only confirms inter vlan routing is working and can't be used to test ACLs since there's no "ingress" taking place and in terms of Cisco ACL ingress means inbound from an external device not inbound to an internal virtual device from another internal virtual device.
So for the physical connection (port) it would be ingress to that port.
For the logical connection (vlan), it would be ingress that VLAN.
I do believe it still depends on physical location of the connections as the switch will internally ping any VLAN.
But a Device in vlan 1 trying to ping vlan 2 with an acl should fail but in the same situation a device in vlan 2 (with the acl applied) will be able to ping a device in vlan 1. Which would also be consistent behavior vs port based access list.
-Tom Please mark answered for helpful posts
Please mark answered for helpful posts
I'm good with the logic of external physical devices but I keep trying to test VLAN ACLs remotely by pinging from the switches PING function, from a VLAN interface to another VLAN interface internal on the switch and it never works and I'm convinced that it's because in this situation there is no INGRESS or EGRESS as it applies to ACLs just internal routes. For PORT or VLAN based ACLs INGRESS means coming in through a physical hardware port and when I ping using the switches PING function to another VLAN interface internal to the switch I'm clearly not entering or exiting any physical hardware port.
It makes perfect sense once I think about it but I then forget about it and in a couple of weeks try it all over again.
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...