Skip to main content

Access-list at SVI

SVI (Switch Virtual Interfaces)

We use the SVI for inter vlan routing. In this scenario I will configure the access list with SVI.
In this scenario I want to permit vlan 10 network to vlan 50 Server farm. Vlan 10 and vlan 20 can communicate each other.
First create vlan and then interface vlan#.

Switch(config)#vlan 10
Switch(config)#interface vlan 10
Switch(config-if)#ip address 192.168.10.254 255.255.255.0

Switch(config)#vlan 20
Switch(config)#interface vlan 20
Switch(config-if)#ip address 192.168.20.254 255.255.255.0

Switch(config)#vlan 50
Switch(config)#interface vlan 50
Switch(config-if)#ip address 192.168.50.254 255.255.255.0

when we finish the vlan interface create make sure the switch port are belong to each vlan.
Port to vlan assign configure is
Switch(config)#interface g0/1
Switch(config-if)#switchport access vlan 10

Switch(config)#interface g0/2
Switch(config-if)#switchport access vlan 20

Switch(config)#interface g0/3
Switch(config-if)#switchport access vlan 50

If you don't assign switch port to vlan your SVI will show as:

config)#show ip interface brief
Interface              IP-Address          OK?   Method   Status                Protocol
Vlan10                 192.168.10.254  YES   manual   up                     down

so make sure you have assign you switchport to vlan. And then now we have route the vlan each other.
I want to define vlan 50 only allow to communicate vlan 10. So let move with access list.

Define the access list
Switch(config)#access-list 1 permit 192.168.10.0 0.0.0.255
Switch(config)#access-list 1 deny any


Apply the access rule to SVI. By the way we need to know how SVI traffic flows work. Actually it same as the physical interface.


So let configure the access list to SVI.


Switch(config)#int vlan 50

Switch(config-if)#ip access-group 1 out

we can verify with #sh access-list

Now we can test connection from vlan 10 and 20 to vlan 50.

Thank you.




Labels:

Comments

Post a Comment

Popular posts from this blog

OSPF Stub

The following restrictions apply to stub areas:     You cannot create a virtual link through a stub area.   A stub area cannot contain an AS boundary router.   You cannot configure the backbone as a stub area.   You cannot configure an area as both a stub area and an not-so-stubby area (NSSA). Ref : Juniper.net
Post a Comment
Read more

OSPF Virtual Link

OSPF Virtual Link OSPF virtual link is use for that area far from backbone area 0. At this figure 1.1 area 2 is far from area 0 so area 2 can't reach other area. Figure 1.1 After configure OSPF, neighbor is up but router 2 don't see 3.3.3.0/24 network. R3#sh ip ospf nei Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1   FULL/DR         00:00:39    10.1.2.1        FastEthernet0/0 R2#sh ip route      10.0.0.0/30 is subnetted, 2 subnets C       10.1.2.0 is directly connected, FastEthernet1/0 C       10.1.1.0 is directly connected, FastEthernet0/0 One of OSPF rule all area must connect to area 0.In this cause we can use virtual link at area 1. R2 router ospf 1  router-id 2.2.2.2  log-adjace...
Post a Comment
Read more