Solved: When should use VLAN filter vs. SVI access-list on switches?

gwhuang5398 · ‎11-19-2012

If VLAN 10 is a user VLAN in subnet 10.10.10.0/24, and I want torestrict what servers those users in VLAN 10 can access, I can configure a access-list and apply the ACL to a VLAN access-map, or apply the ACL to the SVI "interface vlan 10". What's a good practice as far as when I should use a VLAN access-map and when I should apply the access-list directly to SVI?

Thanks a lot

John Blakley · ‎11-19-2012

VLAN access-maps are used when you want to restrict hosts within a vlan. If you have a host and server in vlan 10, and you want to restrict this host from accessing the server, you'd use a vlan access map.

Access lists on the SVI are used when you want to restrict intervlan routing between vlans. If you have a host in vlan 10 and a server in vlan 15, you'd use a normal acl applied to the vlan 10 svi restricting the host from accessing the server in vlan 15.

HTH,

John

**** Please rate useful posts ****

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-19-2012