I had an issue a few years ago when we were applying an ACL to a SVI on a 3750 it worked back to front from what you would logically think. We had to get wire shark in on it to figure out what was going on but from memory I could have sworn that if we denied outbound port 80 on the SVI it would actually only be denied inbound.
I don't have a 3750 which I can do this on at the moment or 2 systems to do packet sniffers so cant lab this up at the moment. If you are having problems in production give it a lab, I don't know it if it was a bug we were dealing with or not. Bradley On 21 Mar 2010, at 10:47, joshua atterbury wrote: > Matt is right, its quite straight forward. > > In - traffic coming in to the SVI from the vlan > Out - Traffic going out of the SVI to the clients on the vlan > > Josh. > > > On Sun, Mar 21, 2010 at 7:58 PM, Matt Hill <[email protected]> wrote: > Think of it this way. > > Change the words "vlan" to "FastEthernet" in those interface types: > > > > access-list 5 deny host 5.5.5.5 > > > > inter FastEthernet 5 > > ip address 5.5.5.1 255.255.255.0 > >ip access-group 5 in > > > > interface FastEthernet 6 > > ip address 6.6.6.1 255.255.255.0 > > > > > > If you had these "real" interfaces, connect a crossover cable directly > into a host of some sort. > > What happens now? > > Cheers, > Matt > > CCIE #22386 > CCSI #31207 > > On 21 March 2010 20:09, Patrice Ngassam <[email protected]> wrote: > > I am more confused Matt ! > > Keeping the same example, this is what I'd have done : > > > > access-list 5 deny host 5.5.5.5 > > > > inter vlan 5 > > ip address 5.5.5.1 255.255.255.0 > > > > > > interface vlan 6 > > ip address 6.6.6.1 255.255.255.0 > > ip access-group 5 in > > > > > > OR > > > > inter vlan 5 > > ip address 5.5.5.1 255.255.255.0 > > ip access-group 5 out > > > > > > interface vlan 6 > > ip address 6.6.6.1 255.255.255.0 > > > > > > > > > > Patrice Ngassam > > Ceritified Cisco CCNP, CCDP, CCIP > > > > > > > > > >> Date: Sun, 21 Mar 2010 16:59:28 +1100 > >> From: [email protected] > >> To: [email protected] > >> CC: [email protected] > >> Subject: Re: [OSL | CCIE_RS] Access-list on Physical vs SVI Interface > >> > >> It is exactly the same. > >> > >> Is the traffic you wish to filter passing _through_ the SVI? If so, > >> then which direction. Bear in mind that two hosts on the same vlan > >> will never pass through the SVI as they never need to query the > >> default-gateway. > >> > >> However, if you have vlan 5 and vlan 6, then to filter the host on > >> vlan 5 going to vlan 6 would look like this: > >> > >> access-list 5 deny host 5.5.5.5 > >> > >> inter vlan 5 > >> ip address 5.5.5.1 255.255.255.0 > >> ip access-group 5 in > >> > >> interface vlan 6 > >> ip address 6.6.6.1 255.255.255.0 > >> > >> OR > >> > >> inter vlan 5 > >> ip address 5.5.5.1 255.255.255.0 > >> > >> > >> interface vlan 6 > >> ip address 6.6.6.1 255.255.255.0 > >> ip access-group 5 out > >> > >> HTH > >> > >> Cheers, > >> Matt > >> > >> CCIE #22386 > >> CCSI #31207 > >> > >> > >> On 21 March 2010 16:46, Jason LeBlanc <[email protected]> wrote: > >> > I am slightly confused on the application of IN vs. OUT for the > >> > access-list on an SVI interface. Physical interfaces always make sense > >> > to > >> > me for some reason because I know exactly where they sit and the traffic > >> > has > >> > to ingress or egress out of them. > >> > > >> > I have an externally facing 3750 switch and want to allow some external > >> > addressing/ports. I have internal addresses that I want to do the same > >> > with. Then there is the SVI segment itself (which is virtual so is it > >> > inside or outside of the other segments). Finally all of that has to > >> > use a > >> > physical port at some point in time. Can someone spell out the logic in > >> > simple terms so I can get my mind wrapped around it? > >> > > >> > Thanks in advance! > >> > > >> > //LeBlanc > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> > please visit www.ipexpert.com > >> > > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, please > >> visit www.ipexpert.com > > > > ________________________________ > > Acheter en ligne en toute sécurité ? Internet Explorer 8 vous protège > > gratuitement ! > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
