ā02-16-2012 07:17 PM - edited ā03-07-2019 04:59 AM
Dear all,
I have one quick question, let say I created two extended access-list on a switch and apply one in the VLAN SVI interface and another one apply at the host interface end, which access-list will it take effect?
Example:-
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
end
interface FastEthernet0/10
switchport mode access
switchport access vlan 10
ip access-group 101 in
spanning-tree portfast
spanning-tree bpduguard enable
end
So which access-list will port Fa0/10 follow and take effect? access-list 100 or access-list 101? or BOTH ?
Thanks in advance
Solved! Go to Solution.
ā02-17-2012 12:35 AM
Hi,
I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.
To verify this you can do sh access-list to see hits or add the log keyword to the ACLs.
Regards.
Alain
ā02-17-2012 12:35 AM
Hi,
I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.
To verify this you can do sh access-list to see hits or add the log keyword to the ACLs.
Regards.
Alain
ā02-22-2012 11:41 PM
Dear Alain,
I have test it out and you're correct, the inbound traffic will first be check by the port access-list and if it's permitts then it will be check by the SVI interface access-list as well, so the both ACL's some sort of in "combined".
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide