Matt is right, its quite straight forward. In - traffic coming in to the SVI from the vlan Out - Traffic going out of the SVI to the clients on the vlan
Josh. On Sun, Mar 21, 2010 at 7:58 PM, Matt Hill <[email protected]> wrote: > Think of it this way. > > Change the words "vlan" to "FastEthernet" in those interface types: > > > > access-list 5 deny host 5.5.5.5 > > > > inter FastEthernet 5 > > ip address 5.5.5.1 255.255.255.0 > >ip access-group 5 in > > > > interface FastEthernet 6 > > ip address 6.6.6.1 255.255.255.0 > > > > > > If you had these "real" interfaces, connect a crossover cable directly > into a host of some sort. > > What happens now? > > Cheers, > Matt > > CCIE #22386 > CCSI #31207 > > On 21 March 2010 20:09, Patrice Ngassam <[email protected]> wrote: > > I am more confused Matt ! > > Keeping the same example, this is what I'd have done : > > > > access-list 5 deny host 5.5.5.5 > > > > inter vlan 5 > > ip address 5.5.5.1 255.255.255.0 > > > > > > interface vlan 6 > > ip address 6.6.6.1 255.255.255.0 > > ip access-group 5 in > > > > > > OR > > > > inter vlan 5 > > ip address 5.5.5.1 255.255.255.0 > > ip access-group 5 out > > > > > > interface vlan 6 > > ip address 6.6.6.1 255.255.255.0 > > > > > > > > > > Patrice Ngassam > > Ceritified Cisco CCNP, CCDP, CCIP > > > > > > > > > >> Date: Sun, 21 Mar 2010 16:59:28 +1100 > >> From: [email protected] > >> To: [email protected] > >> CC: [email protected] > >> Subject: Re: [OSL | CCIE_RS] Access-list on Physical vs SVI Interface > >> > >> It is exactly the same. > >> > >> Is the traffic you wish to filter passing _through_ the SVI? If so, > >> then which direction. Bear in mind that two hosts on the same vlan > >> will never pass through the SVI as they never need to query the > >> default-gateway. > >> > >> However, if you have vlan 5 and vlan 6, then to filter the host on > >> vlan 5 going to vlan 6 would look like this: > >> > >> access-list 5 deny host 5.5.5.5 > >> > >> inter vlan 5 > >> ip address 5.5.5.1 255.255.255.0 > >> ip access-group 5 in > >> > >> interface vlan 6 > >> ip address 6.6.6.1 255.255.255.0 > >> > >> OR > >> > >> inter vlan 5 > >> ip address 5.5.5.1 255.255.255.0 > >> > >> > >> interface vlan 6 > >> ip address 6.6.6.1 255.255.255.0 > >> ip access-group 5 out > >> > >> HTH > >> > >> Cheers, > >> Matt > >> > >> CCIE #22386 > >> CCSI #31207 > >> > >> > >> On 21 March 2010 16:46, Jason LeBlanc <[email protected]> wrote: > >> > I am slightly confused on the application of IN vs. OUT for the > >> > access-list on an SVI interface. Physical interfaces always make > sense to > >> > me for some reason because I know exactly where they sit and the > traffic has > >> > to ingress or egress out of them. > >> > > >> > I have an externally facing 3750 switch and want to allow some > external > >> > addressing/ports. I have internal addresses that I want to do the > same > >> > with. Then there is the SVI segment itself (which is virtual so is it > >> > inside or outside of the other segments). Finally all of that has to > use a > >> > physical port at some point in time. Can someone spell out the logic > in > >> > simple terms so I can get my mind wrapped around it? > >> > > >> > Thanks in advance! > >> > > >> > //LeBlanc > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> > please visit www.ipexpert.com > >> > > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > > > > ________________________________ > > Acheter en ligne en toute sécurité ? Internet Explorer 8 vous protège > > gratuitement ! > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
