Bradley, This is more like what I was seeing. Because these switches are in my Internet block I had to change ACLs for my RFC1918 SVI to block OUT on the SVI when I would think the Internet would be coming IN. When I had it blocking IN it wouldn't allow the traffic specified & I saw HSRP traffic was being blocked on UDP 1985 which should have been allowed. As soon as I flipped it to OUT everything worked. That's why I ask, where the SVI sits in relation to things. It's stumped a few senior people so I figured I'd ask.
//LeBlanc Sent from my iPhone On Mar 21, 2010, at 5:24 AM, Bradley Freeman <[email protected] > wrote: > I had an issue a few years ago when we were applying an ACL to a SVI > on a 3750 it worked back to front from what you would logically > think. We had to get wire shark in on it to figure out what was > going on but from memory I could have sworn that if we denied > outbound port 80 on the SVI it would actually only be denied inbound. > > I don't have a 3750 which I can do this on at the moment or 2 > systems to do packet sniffers so cant lab this up at the moment. If > you are having problems in production give it a lab, I don't know it > if it was a bug we were dealing with or not. > > Bradley > > On 21 Mar 2010, at 10:47, joshua atterbury wrote: > >> Matt is right, its quite straight forward. >> >> In - traffic coming in to the SVI from the vlan >> Out - Traffic going out of the SVI to the clients on the vlan >> >> Josh. >> >> >> On Sun, Mar 21, 2010 at 7:58 PM, Matt Hill <[email protected]> wrote: >> Think of it this way. >> >> Change the words "vlan" to "FastEthernet" in those interface types: >> >> >>> access-list 5 deny host 5.5.5.5 >>> >>> inter FastEthernet 5 >>> ip address 5.5.5.1 255.255.255.0 >>> ip access-group 5 in >>> >>> interface FastEthernet 6 >>> ip address 6.6.6.1 255.255.255.0 >>> >>> >> >> If you had these "real" interfaces, connect a crossover cable >> directly >> into a host of some sort. >> >> What happens now? >> >> Cheers, >> Matt >> >> CCIE #22386 >> CCSI #31207 >> >> On 21 March 2010 20:09, Patrice Ngassam <[email protected]> >> wrote: >>> I am more confused Matt ! >>> Keeping the same example, this is what I'd have done : >>> >>> access-list 5 deny host 5.5.5.5 >>> >>> inter vlan 5 >>> ip address 5.5.5.1 255.255.255.0 >>> >>> >>> interface vlan 6 >>> ip address 6.6.6.1 255.255.255.0 >>> ip access-group 5 in >>> >>> >>> OR >>> >>> inter vlan 5 >>> ip address 5.5.5.1 255.255.255.0 >>> ip access-group 5 out >>> >>> >>> interface vlan 6 >>> ip address 6.6.6.1 255.255.255.0 >>> >>> >>> >>> >>> Patrice Ngassam >>> Ceritified Cisco CCNP, CCDP, CCIP >>> >>> >>> >>> >>>> Date: Sun, 21 Mar 2010 16:59:28 +1100 >>>> From: [email protected] >>>> To: [email protected] >>>> CC: [email protected] >>>> Subject: Re: [OSL | CCIE_RS] Access-list on Physical vs SVI >>>> Interface >>>> >>>> It is exactly the same. >>>> >>>> Is the traffic you wish to filter passing _through_ the SVI? If so, >>>> then which direction. Bear in mind that two hosts on the same vlan >>>> will never pass through the SVI as they never need to query the >>>> default-gateway. >>>> >>>> However, if you have vlan 5 and vlan 6, then to filter the host on >>>> vlan 5 going to vlan 6 would look like this: >>>> >>>> access-list 5 deny host 5.5.5.5 >>>> >>>> inter vlan 5 >>>> ip address 5.5.5.1 255.255.255.0 >>>> ip access-group 5 in >>>> >>>> interface vlan 6 >>>> ip address 6.6.6.1 255.255.255.0 >>>> >>>> OR >>>> >>>> inter vlan 5 >>>> ip address 5.5.5.1 255.255.255.0 >>>> >>>> >>>> interface vlan 6 >>>> ip address 6.6.6.1 255.255.255.0 >>>> ip access-group 5 out >>>> >>>> HTH >>>> >>>> Cheers, >>>> Matt >>>> >>>> CCIE #22386 >>>> CCSI #31207 >>>> >>>> >>>> On 21 March 2010 16:46, Jason LeBlanc <[email protected]> >>>> wrote: >>>>> I am slightly confused on the application of IN vs. OUT for the >>>>> access-list on an SVI interface. Physical interfaces always >>>>> make sense to >>>>> me for some reason because I know exactly where they sit and the >>>>> traffic has >>>>> to ingress or egress out of them. >>>>> >>>>> I have an externally facing 3750 switch and want to allow some >>>>> external >>>>> addressing/ports. I have internal addresses that I want to do >>>>> the same >>>>> with. Then there is the SVI segment itself (which is virtual so >>>>> is it >>>>> inside or outside of the other segments). Finally all of that >>>>> has to use a >>>>> physical port at some point in time. Can someone spell out the >>>>> logic in >>>>> simple terms so I can get my mind wrapped around it? >>>>> >>>>> Thanks in advance! >>>>> >>>>> //LeBlanc >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab >>>> training, please >>>> visit www.ipexpert.com >>> >>> ________________________________ >>> Acheter en ligne en toute sécurité ? Internet Explorer 8 vous pr >>> otège >>> gratuitement ! >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
