Quick Inbound ACL Question

Answered Question

If I have two VLANs, 1 (native) and 2 (iSCSI) and I want to put inbound ACLs to restrict the traffic that gets into VLAN 2. From the perspective of VLAN 2, does my inbound ACL get evaluated for both traffic originating from VLAN 1 and going into VLAN 2, AND traffic originating in VLAN 2 going back to VLAN1 (as traffic would be going 'in' the virtual interface for VLAN 2 to be routed back to VLAN1).


So if my iSCSI subnet was 10.0.0.0/24 and I wanted to allow www, https, and smtp (192.168.1.1):


ip access-l e iSCSI_NetIn

permit ip 10.0.0.0 255.255.255.0 any

permit icmp any any eq echo

permit tcp any 10.0.0.0 255.255.255.0 eq 80

permit tcp any 10.0.0.0 255.255.255.0 eq 443

permit tcp host 192.168.1.1 eq 25 10.0.0.0 255.255.255.0 established (SMTP)

deny any any log


int vlan 2 -> ip access-g iSCSI_NETIn in


In reality I am going to have ACL's on both VLAN1 and the other VLANs on this switch which is dedicated purpose and I have not found a definitive answer on if incoming traffic is destined for VLAN2 and I have incoming ACLs on both VLAN1 and VLAN2 if it is matched against both ACLs, and that returning traffic will also be matched on the inbound VLAN2 ACL.




Correct Answer by Jon Marshall about 8 years 5 months ago

Bill


An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.


An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.


So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.


Note if the packet is not allowed obviously it won't be sent it will be dropped.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 12/10/2008 - 09:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bill


An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.


An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.


So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.


Note if the packet is not allowed obviously it won't be sent it will be dropped.


Jon

Actions

This Discussion