Solved: Router and Switch ACL

tommyevensen · ‎04-28-2016

Hello.

I have a quick question.

I have set up a simple extended ACL.

permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any any

It is enabled on SVI interface IN direction with ip 10.10.10.1/24.

When I test with ping from router to a blocked network using source interface (SVI) the ACL is not working.

Example: ping 172.16.1.5 source 10.10.10.1 = success.

Shouldn't this be blocked, and only allow traffic to 192.168.1.0/24 ?

So my questions is. Do the ACL not have effect on the router interface itself, and only on other hosts on the subnet/vlan ? (I think I remember reading about this, but cant find it)

Thank you.

nspasov · ‎05-01-2016

Hi there, the traffic has to traverse the interface in order for the ACL to be considered. Here is a link to another thread on the forum that explains this very well:

https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-acl-source-and-destination-direction

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎05-01-2016

Hi there, the traffic has to traverse the interface in order for the ACL to be considered. Here is a link to another thread on the forum that explains this very well:

https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-acl-source-and-destination-direction

I hope this helps!

Thank you for rating helpful posts!