So,
I'm trying to restrict SVIs from communicating to each other by using ACL
Ie, if I have vlan 10 SVI at 10.10.10.1/24
On that interface, I have permit the 10.10.10.0/24 i.e.
sequence 10 permit ip 10.10.10.0/24
sequence 20 deny 10.0.0.0/8
sequence 30 deny 172.16.0.0 0.15.255.255
sequence 40 deny 192.168.0.0/16
sequence 50 permit any
So, essentially this should allow any host on the 10.10.10 network to communicate to the 10.10.10/24 network and out the WAN
However, any other private address should not be able to communicate to that network.
The problem I'm having is, that only works when I use the access-group OUT command, if I use Ip access-group ACLNAME IN, it fails.
So, my question is, the ICMP is getting into the interface, but said interface isn't allowed to respond, because of the ACCESS-GROUP OUT command.
How do I make said interface do less work, so it doesn't have to apply to the ICMP requests, etc from other interfaces? Ie, make it work with ACCESS-GROUP IN.
Or is this just a function of ACLs and SVIs?
It makes sense to me that it it's only going to read the ACL AFTER the packet is interpreted, but I"m trying to make sure that the SVI can do less work for latency issues, etc.
No comments:
Post a Comment