ip access-group name in - does it apply to systems on the same subnet?
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by Adam Przestroga on June 9, 2009, 6:52 pm
Please log in for more thread options
Perhaps a dumb question, but I need clarification. I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply to systems which reside within this VLAN and communicate with one another? Or perhaps, this ACL works only when the VLAN systems communicate with systems on another subnet? Thanks, APrzestroga | ||||||||||
|
Posted by Trendkill on June 10, 2009, 5:59 am
Please log in for more thread options  apply it 'in' on vlan X, the access-list will only impact traffic it receives from Vlan X to the vlan interface. More importantly to your question, the only time a node on vlan X would send traffic to the vlan interface, is when it is sending traffic to its default gateway to be routed somewhere else. Conversely, applying it 'out' on vlan X, will only impact traffic that the router is putting onto Vlan X from another network. No access-list will impact traffic within a vlan since that will be handled by arps on the local machines/servers and switched...not routed. Access-lists are strictly layer 3, unless you start looking at vacls and other layer 2 related options. | ||||||||||
|
Posted by Adam Przestroga on June 10, 2009, 6:43 pm
Please log in for more thread options Trendkill wrote:Thank you for the clarification. I have applied L2 ACL (access-map) and it seems to do the job. BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit misleading... Regards, APrzestroga | ||||||||||
|
Posted by Trendkill on June 10, 2009, 7:14 pm
Please log in for more thread options Yes, the terminology has always carried some confusion. Best way to think of it is as a router on a stick. Picture the router as having one interface to a switch where all the nodes on the vlan are. If the router puts packets out onto the vlan (i.e. destined to a server/node on that network from another network), then that matches 'out' access lists. If the router receives a packet in on that vlan interface (i.e. destined to another network from one of the servers/nodes) then it matches 'in' access lists. Then just scale that up to many switched virtual interfaces (SVIs) or vlans on a 6500 series router/ msfc....works the same way with just more interfaces...and some happen to be logical instead of physical. | ||||||||||
|
Home Cabling Guide
Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Click Here to learn more |
> Perhaps a dumb question, but I need clarification.
> I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
> to systems which reside within this VLAN and communicate with one
> another? Or perhaps, this ACL works only when the VLAN systems
> communicate with systems on another subnet?
> Thanks,
> APrzestroga