Solved: Re: Core switch ACL question

Jason Fraioli · ‎02-08-2010

I have a core switch with around 20 vlans connected. I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this? Is there anyway other that to apply an ACL to each SVI?

Jon Marshall · ‎02-08-2010

jason.fraioli wrote:

I have a core switch with around 20 vlans connected. I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this? Is there anyway other that to create an ACL on each SVI?

Jason

You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -

access-list 101 permit ip host 192.168.5.1 host 192.168.6.1

access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any <-- for all the other hosts on the 192.168.5.x network

int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in

Jon

Jon Marshall · ‎02-08-2010

jason.fraioli wrote:

I have a core switch with around 20 vlans connected. I need to be able to do the following:

1) Permit access from a specific host, to a specific host or subnet.

2) Deny all other traffic from a specific host to any other vlan or subnet.

What is the easiest way to do this? Is there anyway other that to create an ACL on each SVI?

Jason

You don't need to create an acl for each SVI but yes SVI acls are the way to go. So for your example above -

access-list 101 permit ip host 192.168.5.1 host 192.168.6.1

access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 permit ip any any <-- for all the other hosts on the 192.168.5.x network

int vlan 10 <-- this is the vlan for the 192.168.5.0/24 network

ip access-group 101 in

Jon