Router ACLs and VLANs

Unanswered Question

Hi All:

In a 4506, I would like to apply some Router ACLs to VLANs, to avoid some traffic between them.

But I have 2 elementary questions:

Question 1:

If I ONLY deny the traffic originated in the VLAN 2 with destination VLAN 3:

Is the traffic denied in both directions?

I mean, if I start a communication from VLAN 3 to VLAN 2:

- packets from VLAN 3 to VLAN 2 will be accepted

- but, the response packets to this communication will have an origin=VLAN2, destination=VLAN3, which is not allowed.

That means communication is not allowed.

Or I am wrong, and only the establishment of the communication is taken into account (that is, who is originating the communication: if VLAN 2 rejected, if VLAN 3 accepted).

Question 2:

The second question is the difference between inbound and outbound traffic. I think I understand the difference between both cases regarding how access lists have to be built. But I don't see when I must use each one. I don't see the reason for rejecting the packet before or after being processed by the router.

In fact, I think is always better to reject/deny before processing (inbound always).

In which case is better to apply the ACL to the outbound traffic? (an example would be ok)

I have read a lot of documentation but I really don't find a clear explanation about these two topics.

I hope my questions are clear enough.

Many thanks in advance.

Antonio.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Edison Ortiz Wed, 11/14/2007 - 08:46

Answer 1:

Traffic is not denied on both directions, but the communication is broken due to the ACL. As you stated, the packet is received by Vlan2 but it's unable to reply back. You still can cause damage on traffic received, if you are trying to protect a device.

Answer 2:

Depends on the requirement, if you don't want that traffic to be routed, you block it at the incoming connection, else you block it as it leaves the router.

Many thanks for the answer, but it is not completely clear for me yet:

About Q1:

Sometimes may be would be better to deny ONLY the traffic originated at a given VLAN.

For example: a telnet session. I want to allow a tetnet session starting in VLAN 3 (destination VLAN, but deny telnet sessions starting in VLAN 2.

Is that possible with ACLs or a firewall is required?

About Q2:

If I want to deny some traffic, don't see any reason why I want to allow routing and then reject the traffic, and not to reject it directly.

Can someone give me an example?

Edison Ortiz Wed, 11/14/2007 - 10:03

Answer 1:

It depends on the requirement. If you want to allow telnet from Vlan3 to Vlan2 but block telnet from Vlan2 to Vlan3, then the proper ACL should be placed on the ingress interface on Vlan2.

As you know, SVIs represent both ingress and egress interface on a Vlan so the ACL needs to be place outbound.

interface vlan 2

ip access-group telnet out

ip access-list extended telnet

deny tcp any [vlan3 subnet] eq 23

permit ip any any

______________________________________________

Answer 2:

How about if you have 2 egress interfaces and you want to allow traffic to go via one interface and not the other, if you block the traffic at the ingress interface, the router won't be able to route the packet.

Hi again,

Question 2 is clear now. Very good example. Thanks.

But I'm getting really more confused about question 1.

I thought outbound traffic for VLAN 2 is traffic going into (with destination) VLAN 2.

But the rule defined in the access-list "telnet" is:

Source: Any

Destination: VLAN 3

How can I have such a traffic in the VLAN 2 outbound interface?

Rgds.

Edison Ortiz Thu, 11/15/2007 - 12:38

Just follow the flow of the packet.

ip access-group xx out will examine the packet as it exits the router. Your source, on this case' Any sits behind Vlan2 and the destination is Vlan3.

If you wanted to use ip access-group xx in your ACL would have to have Vlan3 as the source and Vlan2 as the destination.

I composed the ACL based on your requirements.

rajatsetia Wed, 11/14/2007 - 09:09

Hi

Edison has explained it correctly, here are my thoughts about this ,

Edison, correct me if I am wrong here :)

1-> What basically you are talking about happens in stateful devices like firewalls where you have to allow the traffic for one direction only and on the reverse direction a reply will be allowed on the basis of state table...

but router is not a stateful device so if you deny the traffic from VLAN2 to VLAN 3 , all traffic to VLAN3 will be blocked including replies to VLAN3 generated traffic.

2--> Depending on the scenario and the requirement, always apply the acl closer to the source ..

HTH

rgds

rajat

Actions

This Discussion