Solved: One quick access-list question

Wai wai · ‎02-16-2012

Dear all,

I have one quick question, let say I created two extended access-list on a switch and apply one in the VLAN SVI interface and another one apply at the host interface end, which access-list will it take effect?

Example:-

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

end

interface FastEthernet0/10

switchport mode access

switchport access vlan 10

ip access-group 101 in

spanning-tree portfast

spanning-tree bpduguard enable

end

So which access-list will port Fa0/10 follow and take effect? access-list 100 or access-list 101? or BOTH ?

Thanks in advance

cadet alain · ‎02-17-2012

Hi,

I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.

To verify this you can do sh access-list to see hits or add the log keyword to the ACLs.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎02-17-2012

Hi,

I think it depends if the traffic is gonna get routed by the SVI or not.I traffic is routed then first the port ACL will take effect then the SVI one but if the traffic is not routed then it will only hit the port ACL.

To verify this you can do sh access-list to see hits or add the log keyword to the ACLs.

Regards.

Alain

Don't forget to rate helpful posts.

Wai wai · ‎02-22-2012

Dear Alain,

I have test it out and you're correct, the inbound traffic will first be check by the port access-list and if it's permitts then it will be check by the SVI interface access-list as well, so the both ACL's some sort of in "combined".

Thanks again