10-24-2013 11:42 AM - edited 03-07-2019 04:13 PM
I currently have extended ACLs on probably 40-50 L3 SVIs at my distribution layer. Most of them are configured to admit/deny traffic on the outbound filter for each SVI. I am considering moving to reflexive ACLs to get improved security controls, but I'm just not sure it would work. Many of the vlans need to talk to each other but not ALL the other vlans and almost all of them need to go to the Internet. Does anyone here have experience with using reflexive ACLs in an Enterprise at the distribution layer that might have some advice on how to do this (or not do it)? Thanks.
10-24-2013 12:09 PM
Hi,
reflexive ACLs are only supported on 6500 switches as far as I know.
Regards
Alain
Don't forget to rate helpful posts.
10-24-2013 12:54 PM
I think they are supported on the 7609-S (which is what I'd put them on) but I am double-checking. Hardware aside, I am just trying to figure out if it's doable from a traffic flow standpoint. that is my concern. It seems reflexive ACLs are more commonly used at entry/exit points and not for complex intervlan routing. I am just curious if I am the only one to consider it for internal use and if others have experience, I could use some insight.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide