Think of it this way. Change the words "vlan" to "FastEthernet" in those interface types:
> access-list 5 deny host 5.5.5.5 > > inter FastEthernet 5 > ip address 5.5.5.1 255.255.255.0 >ip access-group 5 in > > interface FastEthernet 6 > ip address 6.6.6.1 255.255.255.0 > > If you had these "real" interfaces, connect a crossover cable directly into a host of some sort. What happens now? Cheers, Matt CCIE #22386 CCSI #31207 On 21 March 2010 20:09, Patrice Ngassam <[email protected]> wrote: > I am more confused Matt ! > Keeping the same example, this is what I'd have done : > > access-list 5 deny host 5.5.5.5 > > inter vlan 5 > ip address 5.5.5.1 255.255.255.0 > > > interface vlan 6 > ip address 6.6.6.1 255.255.255.0 > ip access-group 5 in > > > OR > > inter vlan 5 > ip address 5.5.5.1 255.255.255.0 > ip access-group 5 out > > > interface vlan 6 > ip address 6.6.6.1 255.255.255.0 > > > > > Patrice Ngassam > Ceritified Cisco CCNP, CCDP, CCIP > > > > >> Date: Sun, 21 Mar 2010 16:59:28 +1100 >> From: [email protected] >> To: [email protected] >> CC: [email protected] >> Subject: Re: [OSL | CCIE_RS] Access-list on Physical vs SVI Interface >> >> It is exactly the same. >> >> Is the traffic you wish to filter passing _through_ the SVI? If so, >> then which direction. Bear in mind that two hosts on the same vlan >> will never pass through the SVI as they never need to query the >> default-gateway. >> >> However, if you have vlan 5 and vlan 6, then to filter the host on >> vlan 5 going to vlan 6 would look like this: >> >> access-list 5 deny host 5.5.5.5 >> >> inter vlan 5 >> ip address 5.5.5.1 255.255.255.0 >> ip access-group 5 in >> >> interface vlan 6 >> ip address 6.6.6.1 255.255.255.0 >> >> OR >> >> inter vlan 5 >> ip address 5.5.5.1 255.255.255.0 >> >> >> interface vlan 6 >> ip address 6.6.6.1 255.255.255.0 >> ip access-group 5 out >> >> HTH >> >> Cheers, >> Matt >> >> CCIE #22386 >> CCSI #31207 >> >> >> On 21 March 2010 16:46, Jason LeBlanc <[email protected]> wrote: >> > I am slightly confused on the application of IN vs. OUT for the >> > access-list on an SVI interface. Physical interfaces always make sense to >> > me for some reason because I know exactly where they sit and the traffic >> > has >> > to ingress or egress out of them. >> > >> > I have an externally facing 3750 switch and want to allow some external >> > addressing/ports. I have internal addresses that I want to do the same >> > with. Then there is the SVI segment itself (which is virtual so is it >> > inside or outside of the other segments). Finally all of that has to use a >> > physical port at some point in time. Can someone spell out the logic in >> > simple terms so I can get my mind wrapped around it? >> > >> > Thanks in advance! >> > >> > //LeBlanc >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> > please visit www.ipexpert.com >> > >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > > ________________________________ > Acheter en ligne en toute sécurité ? Internet Explorer 8 vous protège > gratuitement ! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
