Layer 3 ACL and two Cisco switches.

Discussion in 'Cisco' started by Adam Przestroga, Aug 9, 2009.

  1. Hi all,

    I have the following configuration:

    My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
    VLANs. There is another 3560 switch trunked with the backbone switch
    (all vlans are allowed to pass the trunked ports) Both switches belong
    to the same VTP domain and therefore are aware of the same VLANs.

    A have two questions:
    1) Do I need to apply the same ACLs as applied to the backbone switch on
    the second switch or are the in effect?
    2) Do I need to specify allowed VLANs on the trunk port on the second
    switch, as well?

    Thanks.

    Regards,
    AP
    Adam Przestroga, Aug 9, 2009
    #1
    1. Advertising

  2. Adam Przestroga

    Trendkill Guest

    On Aug 9, 3:15 pm, Adam Przestroga <> wrote:
    > Hi all,
    >
    > I have the following configuration:
    >
    > My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
    > VLANs. There is another 3560 switch trunked with the backbone switch
    > (all vlans are allowed to pass the trunked ports) Both switches belong
    > to the same VTP domain and therefore are aware of the same VLANs.
    >
    > A have two questions:
    > 1) Do I need to apply the same ACLs as applied to the backbone switch on
    > the second switch or are the in effect?
    > 2) Do I need to specify allowed VLANs on the trunk port on the second
    > switch, as well?
    >
    > Thanks.
    >
    > Regards,
    > AP


    If they aren't stacked, yes. I mean technically, provided your first
    switch is the owner at l2 and l3 (by setting spanning-tree and hsrp
    priorities), I suppose that you would not need the same on switch 2,
    but presuming your goal is full redundancy and identical operation in
    the event of a link or switch failure, then you need to match the
    configs. I'm also assuming your idf or distribution layer has
    redundant links to both cores. Else the situation changes since the
    second backbone can never fully stand in when the primary fails.
    Trendkill, Aug 9, 2009
    #2
    1. Advertising

  3. Adam Przestroga

    Thrill5 Guest

    The simple answer is that you need to apply the L3 ACLs on every layer 3
    interface on every switch/router for the VLANs you want to restrict. If you
    have two switches, and they both have a layer 3 interface for the VLAN, then
    you need to apply the ACL on both.

    "Trendkill" <> wrote in message
    news:...
    On Aug 9, 3:15 pm, Adam Przestroga <> wrote:
    > Hi all,
    >
    > I have the following configuration:
    >
    > My backbone switch Cisco 3560 with 18 VLANs. I have L3 ACLs applied on 6
    > VLANs. There is another 3560 switch trunked with the backbone switch
    > (all vlans are allowed to pass the trunked ports) Both switches belong
    > to the same VTP domain and therefore are aware of the same VLANs.
    >
    > A have two questions:
    > 1) Do I need to apply the same ACLs as applied to the backbone switch on
    > the second switch or are the in effect?
    > 2) Do I need to specify allowed VLANs on the trunk port on the second
    > switch, as well?
    >
    > Thanks.
    >
    > Regards,
    > AP


    If they aren't stacked, yes. I mean technically, provided your first
    switch is the owner at l2 and l3 (by setting spanning-tree and hsrp
    priorities), I suppose that you would not need the same on switch 2,
    but presuming your goal is full redundancy and identical operation in
    the event of a link or switch failure, then you need to match the
    configs. I'm also assuming your idf or distribution layer has
    redundant links to both cores. Else the situation changes since the
    second backbone can never fully stand in when the primary fails.
    Thrill5, Aug 10, 2009
    #3
  4. Thrill5 wrote:
    > The simple answer is that you need to apply the L3 ACLs on every layer 3
    > interface on every switch/router for the VLANs you want to restrict. If you
    > have two switches, and they both have a layer 3 interface for the VLAN, then
    > you need to apply the ACL on both.
    >

    Thank you both for the clarification.
    Regards,
    AP
    Adam Przestroga, Aug 12, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. praveen
    Replies:
    1
    Views:
    3,049
    Bjørn Djupvik
    Oct 22, 2003
  2. John
    Replies:
    3
    Views:
    4,727
  3. Replies:
    1
    Views:
    952
    Walter Roberson
    Oct 26, 2005
  4. Vimokh
    Replies:
    3
    Views:
    5,588
    Vimokh
    Sep 6, 2006
  5. skowal
    Replies:
    0
    Views:
    428
    skowal
    Jan 28, 2008
Loading...

Share This Page