Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
5
Helpful
4
Replies

How to correct setup access-list for SVI

Vitalii
Level 1
Level 1

‎04-25-2019 12:48 AM

Hello. I have SVI vlan 500 on L3 switch configured as point-to-point link. I get this vlan 500 through trunk. Through this vlan I accept remote network 10.180.100.0/24. I tried to setup access-list on SVI vlan 500 to access only few servers. For example:

permit ip 10.180.100.0 0.0.0.255 host 10.180.200.50. 

deny ip any any

I assigned this access list to SVI interface with vlan 500 as IN. But I can't to reach the server.

Where I did mistake?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎04-25-2019 12:51 AM

Can you post the show run interface  VLAN 500

show access-list

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Vitalii
Level 1
Level 1
In response to balaji.bandi

‎04-25-2019 01:33 AM

Thank you. Solved. I didn't correct write ip address of server.

balaji.bandi
Hall of Fame
Hall of Fame
In response to Vitalii

‎04-25-2019 02:39 PM

glad all working , if it solved can you mark as solved. so other community members can view as solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP

‎04-25-2019 01:21 AM - edited ‎04-25-2019 01:27 AM

Hello

 wrote:

Hello. I have SVI vlan 500 on L3 switch configured as point-to-point link. I get this vlan 500 through trunk. Through this vlan I accept remote network 10.180.100.0/24. I tried to setup access-list on SVI vlan 500 to access only few servers. For example:

permit ip 10.180.100.0 0.0.0.255 host 10.180.200.50. 

deny ip any any

I assigned this access list to SVI interface with vlan 500 as IN. But I can't to reach the server.

Where I did mistake?

@Vitalii

SVI ACL logic
IN = Traffic originated from within vlan
OUT= Traffic originated from outside towards vlan

The below example based on the above will allow any host in 10.180.100.0/24 only access to server 10.189.200.50 that resides in vlan 500 which is rather restrictive to the vlan 500, but you need to use the OUT keyword.

 

access-list 100 permit ip 10.180.100.0 0.0.0.255 host 10.180.200.50
int vlan 500
ip access-group 100 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card