Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Layer 3 ACL and two Cisco switches.

Reply
Thread Tools

Layer 3 ACL and two Cisco switches.

 
 
Adam Przestroga
Guest
Posts: n/a
 
      08-09-2009
Hi all,

I have the following configuration:

My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
VLANs. There is another 3560 switch trunked with the backbone switch
(all vlans are allowed to pass the trunked ports) Both switches belong
to the same VTP domain and therefore are aware of the same VLANs.

A have two questions:
1) Do I need to apply the same ACLs as applied to the backbone switch on
the second switch or are the in effect?
2) Do I need to specify allowed VLANs on the trunk port on the second
switch, as well?

Thanks.

Regards,
AP
 
Reply With Quote
 
 
 
 
Trendkill
Guest
Posts: n/a
 
      08-09-2009
On Aug 9, 3:15*pm, Adam Przestroga <(E-Mail Removed)> wrote:
> Hi all,
>
> I have the following configuration:
>
> My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
> VLANs. There is another 3560 switch trunked with the backbone switch
> (all vlans are allowed to pass the trunked ports) Both switches belong
> to the same VTP domain and therefore are aware of the same VLANs.
>
> A have two questions:
> 1) Do I need to apply the same ACLs as applied to the backbone switch on
> the second switch or are the in effect?
> 2) Do I need to specify allowed VLANs on the trunk port on the second
> switch, as well?
>
> Thanks.
>
> Regards,
> AP


If they aren't stacked, yes. I mean technically, provided your first
switch is the owner at l2 and l3 (by setting spanning-tree and hsrp
priorities), I suppose that you would not need the same on switch 2,
but presuming your goal is full redundancy and identical operation in
the event of a link or switch failure, then you need to match the
configs. I'm also assuming your idf or distribution layer has
redundant links to both cores. Else the situation changes since the
second backbone can never fully stand in when the primary fails.
 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      08-10-2009
The simple answer is that you need to apply the L3 ACLs on every layer 3
interface on every switch/router for the VLANs you want to restrict. If you
have two switches, and they both have a layer 3 interface for the VLAN, then
you need to apply the ACL on both.

"Trendkill" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On Aug 9, 3:15 pm, Adam Przestroga <(E-Mail Removed)> wrote:
> Hi all,
>
> I have the following configuration:
>
> My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
> VLANs. There is another 3560 switch trunked with the backbone switch
> (all vlans are allowed to pass the trunked ports) Both switches belong
> to the same VTP domain and therefore are aware of the same VLANs.
>
> A have two questions:
> 1) Do I need to apply the same ACLs as applied to the backbone switch on
> the second switch or are the in effect?
> 2) Do I need to specify allowed VLANs on the trunk port on the second
> switch, as well?
>
> Thanks.
>
> Regards,
> AP


If they aren't stacked, yes. I mean technically, provided your first
switch is the owner at l2 and l3 (by setting spanning-tree and hsrp
priorities), I suppose that you would not need the same on switch 2,
but presuming your goal is full redundancy and identical operation in
the event of a link or switch failure, then you need to match the
configs. I'm also assuming your idf or distribution layer has
redundant links to both cores. Else the situation changes since the
second backbone can never fully stand in when the primary fails.


 
Reply With Quote
 
Adam Przestroga
Guest
Posts: n/a
 
      08-12-2009
Thrill5 wrote:
> The simple answer is that you need to apply the L3 ACLs on every layer 3
> interface on every switch/router for the VLANs you want to restrict. If you
> have two switches, and they both have a layer 3 interface for the VLAN, then
> you need to apply the ACL on both.
>

Thank you both for the clarification.
Regards,
AP
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
business layer, data access layer , presentation layer for asp.net using C#.net Dhananjay ASP .Net 1 12-18-2006 11:35 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
ACL layer 2 on routers. AM Cisco 1 01-24-2006 02:10 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
difference b/w layer 2 switch and layer 3 switch praveen Cisco 1 10-22-2003 07:19 AM



Advertisments