cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
385
Views
0
Helpful
2
Replies

Quick Inbound ACL Question

bill.morton
Level 1
Level 1

If I have two VLANs, 1 (native) and 2 (iSCSI) and I want to put inbound ACLs to restrict the traffic that gets into VLAN 2. From the perspective of VLAN 2, does my inbound ACL get evaluated for both traffic originating from VLAN 1 and going into VLAN 2, AND traffic originating in VLAN 2 going back to VLAN1 (as traffic would be going 'in' the virtual interface for VLAN 2 to be routed back to VLAN1).

So if my iSCSI subnet was 10.0.0.0/24 and I wanted to allow www, https, and smtp (192.168.1.1):

ip access-l e iSCSI_NetIn

permit ip 10.0.0.0 255.255.255.0 any

permit icmp any any eq echo

permit tcp any 10.0.0.0 255.255.255.0 eq 80

permit tcp any 10.0.0.0 255.255.255.0 eq 443

permit tcp host 192.168.1.1 eq 25 10.0.0.0 255.255.255.0 established (SMTP)

deny any any log

int vlan 2 -> ip access-g iSCSI_NETIn in

In reality I am going to have ACL's on both VLAN1 and the other VLANs on this switch which is dedicated purpose and I have not found a definitive answer on if incoming traffic is destined for VLAN2 and I have incoming ACLs on both VLAN1 and VLAN2 if it is matched against both ACLs, and that returning traffic will also be matched on the inbound VLAN2 ACL.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Bill

An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.

An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.

So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.

Note if the packet is not allowed obviously it won't be sent it will be dropped.

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Bill

An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.

An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.

So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.

Note if the packet is not allowed obviously it won't be sent it will be dropped.

Jon

Perfect ... thanks Jon ... I think I owe you an e-beer for all the help lately.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: