12-10-2008 09:24 AM - edited 03-06-2019 02:54 AM
If I have two VLANs, 1 (native) and 2 (iSCSI) and I want to put inbound ACLs to restrict the traffic that gets into VLAN 2. From the perspective of VLAN 2, does my inbound ACL get evaluated for both traffic originating from VLAN 1 and going into VLAN 2, AND traffic originating in VLAN 2 going back to VLAN1 (as traffic would be going 'in' the virtual interface for VLAN 2 to be routed back to VLAN1).
So if my iSCSI subnet was 10.0.0.0/24 and I wanted to allow www, https, and smtp (192.168.1.1):
ip access-l e iSCSI_NetIn
permit ip 10.0.0.0 255.255.255.0 any
permit icmp any any eq echo
permit tcp any 10.0.0.0 255.255.255.0 eq 80
permit tcp any 10.0.0.0 255.255.255.0 eq 443
permit tcp host 192.168.1.1 eq 25 10.0.0.0 255.255.255.0 established (SMTP)
deny any any log
int vlan 2 -> ip access-g iSCSI_NETIn in
In reality I am going to have ACL's on both VLAN1 and the other VLANs on this switch which is dedicated purpose and I have not found a definitive answer on if incoming traffic is destined for VLAN2 and I have incoming ACLs on both VLAN1 and VLAN2 if it is matched against both ACLs, and that returning traffic will also be matched on the inbound VLAN2 ACL.
Solved! Go to Solution.
12-10-2008 09:33 AM
Bill
An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.
An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.
So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.
Note if the packet is not allowed obviously it won't be sent it will be dropped.
Jon
12-10-2008 09:33 AM
Bill
An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.
An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.
So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.
Note if the packet is not allowed obviously it won't be sent it will be dropped.
Jon
12-10-2008 10:47 AM
Perfect ... thanks Jon ... I think I owe you an e-beer for all the help lately.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: