Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5485
Views
0
Helpful
4
Replies

SVI ACL inbound or outbound ?

Go to solution
cbeswick
Level 1
Level 1

‎07-23-2008 12:09 AM - edited ‎03-06-2019 12:24 AM

Hi,

I am wanting to put a standard ACL on an SVI which "houses" servers, permitting only allowed clients to access them.

For exinterface Vlan196

description VL196_Servers

ip address 172.16.196.251 255.255.255.0

ip access-group 1 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

ip pim snooping

ip igmp snooping fast-leave

standby 1 ip 172.16.196.254

standby 1 timers msec 250 msec 750

standby 1 priority 200

standby 1 preempt delay minimum 240

end

*****

ip access-list standard 1

10 permit 172.16.7.1

20 permit 172.16.67.1

30 permit 173.16.68.0 0.0.0.15

40 deny any log

However I have tried this and the access list doesnt work. Hosts from other Vlans are still able to ping servers on vlan 196.

Should the access list be applied outbound ? If so why because this is causing me confusion. I was under the impression that an outbound ACL is for traffic flowing "away" from the interface in an "outbound" direction, i.e to other subnets, not its own subnet.

Any help would be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
lee.reade
Level 4
Level 4

‎07-23-2008 12:18 AM

Hi,

Yes this will need to be applied outbound.

Assuming the clients you want to allow access to the servers are on 172.16.7.1 and 172.16.67.1 and 173.16.68.0 0.0.0.15, then you would apply outbound.

If you think of yourself being IN the router, then when servers send traffic out onto the network, they send it to their default gateway, which is the SVI, therefore this comes to you INBOUND, and vice versa, when clients from another subnet send to servers, it comes to another SVI first, then goes OUTBOUND towards servers.

The acl would need to be an extended acl also, so you specify the source ip's.

HTH

LR

View solution in original post

0 Helpful

Go to solution
lgijssel
Level 9
Level 9

‎07-23-2008 12:20 AM

As many others, you seem to be confused about the way that the in-direction is interpreted.

IN means coming from the vlan196 which is not what is required here. Instead, you should create an extended acl like this:

acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.7.1

acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.67.1

...

This acl could then be applied in-bound like you are doing now.

Also, I noticed that HSRP is running on the device. That would create a second path via the other HSRP device. Please verify that this is the HSRP-active device or set the servers def-gw to the physical ip of this device (.251).

regards,

Leo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
lee.reade
Level 4
Level 4

‎07-23-2008 12:18 AM

Hi,

Yes this will need to be applied outbound.

Assuming the clients you want to allow access to the servers are on 172.16.7.1 and 172.16.67.1 and 173.16.68.0 0.0.0.15, then you would apply outbound.

If you think of yourself being IN the router, then when servers send traffic out onto the network, they send it to their default gateway, which is the SVI, therefore this comes to you INBOUND, and vice versa, when clients from another subnet send to servers, it comes to another SVI first, then goes OUTBOUND towards servers.

The acl would need to be an extended acl also, so you specify the source ip's.

HTH

LR

0 Helpful

Go to solution
lgijssel
Level 9
Level 9

‎07-23-2008 12:20 AM

As many others, you seem to be confused about the way that the in-direction is interpreted.

IN means coming from the vlan196 which is not what is required here. Instead, you should create an extended acl like this:

acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.7.1

acces-l 101 permit 172.16.196.0 0.0.0.255 172.16.67.1

...

This acl could then be applied in-bound like you are doing now.

Also, I noticed that HSRP is running on the device. That would create a second path via the other HSRP device. Please verify that this is the HSRP-active device or set the servers def-gw to the physical ip of this device (.251).

regards,

Leo

0 Helpful

Go to solution
cbeswick
Level 1
Level 1
In response to lgijssel

‎07-24-2008 12:14 AM

Thanks guys, this is a great help.

Because the ACL is now outbound, I take it I dont have to explicitly allow HSRP communication on udp port 1985 either.

0 Helpful

Go to solution
lee.reade
Level 4
Level 4
In response to cbeswick

‎07-24-2008 12:26 AM

Hi,

That is correct.

You will only need to allow what you specifically want to get to the servers.

HTH

LR

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card