Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
10
Helpful
6
Replies

Applying ACL for a VLAN

lamav
Level 8
Level 8

‎03-20-2008 06:05 AM - edited ‎03-05-2019 09:52 PM

I need someone to straighten me out on this...I always get confused.

I have an Internet L3 switch (3560) that has an L3 vlan interface for devices that face the internal network (DMZ).

I want to deny all traffic from the corporate network exceot for 3 subnets that the network engineers are on.

OK, no biggie:

ip access-list standard DENY_UNAUTH_USERS

remark deny all corporate traffic except for the 4, 5 and 6 subnets

permit 10.100.4.0

permit 10.100.5.0

permit 10.100.6.0

deny any log

Now, the kicker, I want to prevent traffic from the internal network from entering the 3560. In which direction should I apply the ACL, in or out?

Should it be

interface vlan 60

ip access-group DENY_UNAUTH_USERS in (?)

OR

interface vlan 60

ip access-group DENY_UNAUTH_USERS out (?)

Its tricky with vlans, its not like a physical interface.

I believe that it should be in the out direction.

Anyone?

Thanks

VL

Labels:
0 Helpful
6 Replies 6

glen.grant
VIP Alumni
VIP Alumni

‎03-20-2008 06:27 AM

If vlan 60 is the connecting link then it would be in the "in" direction .

0 Helpful

lamav
Level 8
Level 8
In response to glen.grant

‎03-20-2008 06:50 AM

vlan 60 is the interface that faces the internal network. Its a DMZ interface...makes sense?

I want to block users from the internal network who sit "behind" that vlan 60 interface.

So, it would still be in the "in" direction?

[EDIT] The users I wantr o block do not sit on vlan 60. that sa DMZ vlan that connects the internal network to the internet router. The users are on the corporate vlan (21,22,etc)

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to lamav

‎03-23-2008 02:13 AM

Victor

Think of like this.

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

Oh yes, and no problem with the typo as i said in other post, we all do it :-)

Jon

lamav
Level 8
Level 8
In response to Jon Marshall

‎03-23-2008 10:09 AM

"Oh yes, and no problem with the typo as i said in other post, we all do it :-)"

You're a regular riot, Alice!! Think you're slick, huh? ;-)

Anyway, as for the vlan ACL (take a look at that drawing again), let's say the traffic originates on the core, gets forwarded "up" to the ASA, and then to the Internet router, the ACL that must be applied to the Internet router's vlan 60 interface inbound? That makes vlan 60 a sort of connecting vlan, then, right?

VL

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to lamav

‎03-23-2008 03:40 PM

Sorry Victor, couldn't resist :-)

Correct in what you say. Vlan 60 is there purely for connecting the ASA devices to the Internet routers. And yes the acl should be applied inbound on the vlan 60 interface.

Once again appreciate the ratings and would have answered the question anyway you know.

Jon

lamav
Level 8
Level 8
In response to Jon Marshall

‎03-23-2008 04:40 PM

Jon:

Once again, you deserve the great ratings because your answers are full of excellent information and you stick with the person until the problem is solved. Thats a pretty awesome thing to do when you dont even know the person at all.

And yes, I know you would have answered my question no matter what....you werent the reason for....you know.

Victor

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card