Solved: Re: ACLs in C9500

mk24 · ‎10-12-2021

Hi all,

we'd like to implement ACLs in our C9500 core switches. Could you please help with two (presumably quite easy) questions:

Am I right that in extended ACLs on this switch there is no implicit deny at the end of every ACL? That's at least what it looks like in a short test that I did.
There are several distribution/access switches connected to our core switches. If I apply the ACLs to the vlan interfaces in my L3 core switch: is it necessary to have an ACE in every ACL that allows traffic within the subnet that is used in the respective vlan so end devices within this vlan can communicate to each other? I've seen it in some configs that others have done but I was never sure if it's really needed ... e.g.
permit ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255

Thanks, BR,

mk24

Giuseppe Larosa · ‎10-12-2021

Hello @mk24 ,

just a question are you going to apply ACLs to the SVI interfaces or you mean VLAN ACL VACLs ?

in first case (SVI) 2) is not needed as intra VLAN traffic does not hit the SVI

and 1) an implicit deny ip any any there should be at the end of the ACL

if you mean VACL 2) intra VLAN traffic needs to be permitited

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎10-12-2021