ACL on SVI

jagdev.dhaliwal · ‎09-21-2012

Hi All,

I have two vlan on Switch with SVIs, One is Server vlan (Vlan 10) other is User vlan (Van 20), Now i want to just allow SSH/WEB traffice from Server and RST/ACK for outgoing traffic from Server Vlan.

Please find the config for vlans

Vlan 10

ip add 10.10.10.1 255.255.255.0

Vlan 20

ip add 20.20.20.1 255.255.255.0

ip access-list extended VLAN10-SSH/WEB-IN

permit tcp 20.20.20.0 0 0.0.255 10.10.10.0 0.0.0.255 eq 22
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 443

ip access-list extended VLAN10-RST/ACK-OUT

permit tcp any any established

i want to apply on server vlan (Vlan10)

int vlan 10

ip access-group VLAN10-SSH/WEB-IN -- ?? - what should be direction

ip access-group VLAN10-RST/ACK-OUT -- ?? what should be direction

Thansk in advance

Jagdev

singhaam007 · ‎09-21-2012

Hi Jagdev,

interface vlan 10

ip access-group VLAN10-RST/ACK-OUT

If you think of yourself being IN the router, then when servers send traffic out onto the network, they send it to their default gateway, which is the SVI, therefore this comes to you INBOUND, and vice versa, when clients from another subnet send to servers, it comes to another SVI first, then goes OUTBOUND towards servers.

The acl would need to be an extended acl also, coz you specify the source ip's.

please rate if this helps.

thanks

jagdev.dhaliwal · ‎09-21-2012

Hi Amrinder

Thanks for you reply, You mean for direction should be like this

int vlan 10

ip access-group VLAN10-SSH/WEB-IN -- out

ip access-group VLAN10-RST/ACK-OUT -- in

Thanks

Jagdev

singhaam007 · ‎09-21-2012

hi ,

just

ip access-group VLAN10-SSH/WEB-IN -- out

becasue you are not blocking any incoming traffic.

thanks