1. Home
  2. Cisco Systems
  3. Layer 3 ACL and two Cisco switches.

Layer 3 ACL and two Cisco switches.

Hi all,

I have the following configuration:

My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6 VLANs. There is another 3560 switch trunked with the backbone switch (all vlans are allowed to pass the trunked ports) Both switches belong to the same VTP domain and therefore are aware of the same VLANs.

A have two questions:

1) Do I need to apply the same ACLs as applied to the backbone switch on the second switch or are the in effect? 2) Do I need to specify allowed VLANs on the trunk port on the second switch, as well?

Thanks.

Regards, AP

Reply to
Adam Przestroga
Loading thread data ...

If they aren't stacked, yes. I mean technically, provided your first switch is the owner at l2 and l3 (by setting spanning-tree and hsrp priorities), I suppose that you would not need the same on switch 2, but presuming your goal is full redundancy and identical operation in the event of a link or switch failure, then you need to match the configs. I'm also assuming your idf or distribution layer has redundant links to both cores. Else the situation changes since the second backbone can never fully stand in when the primary fails.

Reply to
Trendkill

The simple answer is that you need to apply the L3 ACLs on every layer 3 interface on every switch/router for the VLANs you want to restrict. If you have two switches, and they both have a layer 3 interface for the VLAN, then you need to apply the ACL on both.

If they aren't stacked, yes. I mean technically, provided your first switch is the owner at l2 and l3 (by setting spanning-tree and hsrp priorities), I suppose that you would not need the same on switch 2, but presuming your goal is full redundancy and identical operation in the event of a link or switch failure, then you need to match the configs. I'm also assuming your idf or distribution layer has redundant links to both cores. Else the situation changes since the second backbone can never fully stand in when the primary fails.

Reply to
Thrill5

Thank you both for the clarification. Regards, AP

Reply to
Adam Przestroga

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.