Re: Can I block IP bands that overlab with SVI IP bands using ACL?

silverdoor12 · ‎11-27-2024

I have nexus backbone switch.

interface vlan 10

ip address 10.10.10.1 255.255.255.0

ip access-group Blocking in

ip access-group Blocking out

interface vlan 20

ip address 20.20.20.2 255.255.255.0

I want to prevent 10.10.0.0/16 band and 20.20.0.0/16 band from communicating each other.

So I make ACL below.

ACL

ip access-list Blocking

10 deny ip 10.10.0.0/16 20.20.0.0/16

20 deny ip 20 20.20.0.0/16 10.10.0.0/16

30 permit ip any any

My question is

if I have SVI interface that have A (10.10.10.1), can I use acl deny ip band (10.10.0.0/16) in this VLAN interface?

These two bands overlaps each other, and can I use ACL like this?

MHM Cisco World · ‎11-27-2024

can you more elaborate

paul driver · ‎11-27-2024

Hello
you can negate access between L3 SVI with routed access-lists that relate to classful subnets.

Example
ip access extended 10
permit ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.0.0 0.0.255.255
deny ip any 20.20.0.0 0.0.255.255
permit ip any any

int vlan 10
ip address 10.10.10.1 255.255.255.0
ip access-group 10 in

ip access extended 20
permit ip any 20.20.20.0 0.0.0.255
deny ip any 20.20.0.0 0.0.255.255
deny ip any 10.10.0.0 0.0.255.255
permit ip any any

int vlan 20
ip address 20.20.20.2 255.255.255.0
ip access-group 20 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul