It is exactly the same. Is the traffic you wish to filter passing _through_ the SVI? If so, then which direction. Bear in mind that two hosts on the same vlan will never pass through the SVI as they never need to query the default-gateway.
However, if you have vlan 5 and vlan 6, then to filter the host on vlan 5 going to vlan 6 would look like this: access-list 5 deny host 5.5.5.5 inter vlan 5 ip address 5.5.5.1 255.255.255.0 ip access-group 5 in interface vlan 6 ip address 6.6.6.1 255.255.255.0 OR inter vlan 5 ip address 5.5.5.1 255.255.255.0 interface vlan 6 ip address 6.6.6.1 255.255.255.0 ip access-group 5 out HTH Cheers, Matt CCIE #22386 CCSI #31207 On 21 March 2010 16:46, Jason LeBlanc <[email protected]> wrote: > I am slightly confused on the application of IN vs. OUT for the access-list > on an SVI interface. Physical interfaces always make sense to me for some > reason because I know exactly where they sit and the traffic has to ingress > or egress out of them. > > I have an externally facing 3750 switch and want to allow some external > addressing/ports. I have internal addresses that I want to do the same with. > Then there is the SVI segment itself (which is virtual so is it inside or > outside of the other segments). Finally all of that has to use a physical > port at some point in time. Can someone spell out the logic in simple terms > so I can get my mind wrapped around it? > > Thanks in advance! > > //LeBlanc > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
