Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6043
Views
1
Helpful
1
Replies

Applying an ACL to an SVI - which direction is 'in'?

Go to solution
jkeeffe
Level 2
Level 2

‎09-28-2011 09:41 AM - edited ‎03-07-2019 02:29 AM

I have a vlan 910 with 10.2.2.1/25 applied to it's SVI. With an ACL I want to only allow certain hosts to connect to anything within vlan 910. For instance:

I want to:

permit all hosts on 10.3.3.0/25 to communicate with hosts on vlan 910

permit host 10.10.10.12 to do snmp to host on vlan 910

permit host 10.10.20.15 to anyswer DNS requests from hosts on vlan 910

deny all other IP traffic into vlan 910

access-list 100 permit ip 10.3.3.0 0.0.0.127 10.2.2.0 0.0.0.127

access-list 100 permit udp host 10.10.10.12 10.2.2.0 0.0.0.127 eq snmp

access-list 100 permit tcp host 10.10.20.15 10.2.2.0 0.0.0.127 eq domain

access-list 100 deny all

Do I apply this ACL to vlan 910 in or out?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-28-2011 09:55 AM

Hello,

You will apply that ACL in the out direction on the intefrace Vlan 910. Think of the "interface Vlan 910" as the router's interface that connects it to the network. If it was a normal interface, say, Fa0/0, you would put the ACL in the out direction quite naturally. With SVIs, only the name has changed but the flow directions have remained - the out direction is everything that flows into the VLAN 910 after being routed to it, the in direction is everything that flows from the VLAN 910 into your router, possibly being routed elsewhere. The directions on SVIs are always given from the perspective of the multilayer switch itself - out is traffic flowing out, towards the VLAN, while in is the traffic flowing in, from the VLAN.

Best regards,

Peter

View solution in original post

1 Reply 1

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-28-2011 09:55 AM

Hello,

You will apply that ACL in the out direction on the intefrace Vlan 910. Think of the "interface Vlan 910" as the router's interface that connects it to the network. If it was a normal interface, say, Fa0/0, you would put the ACL in the out direction quite naturally. With SVIs, only the name has changed but the flow directions have remained - the out direction is everything that flows into the VLAN 910 after being routed to it, the in direction is everything that flows from the VLAN 910 into your router, possibly being routed elsewhere. The directions on SVIs are always given from the perspective of the multilayer switch itself - out is traffic flowing out, towards the VLAN, while in is the traffic flowing in, from the VLAN.

Best regards,

Peter

Customers Also Viewed These Support Documents