ACL direction when applied to a VLAN on a switch

Answered Question
Feb 19th, 2010

This question concerns applying ACL's to interfaces vs. applying ACL's to VLAN's.


Lets use the following example:


Access list 100 permit tcp host 192.168.5.5 host 172.16.1.10 eq ftp


then on the router interface I apply this ACL INBOUND


so I say on the interface


access-group 100 in


This means in towards the router vs.  if I had used "out" meaning "out away from the router".


Now I want to understand this with respect to a VLAN


If I apply an ACL using Access-group on an OUT direction to a VLAN, does that not mean traffic that is leaving the VLAN?


Here is my issue:

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0
ip access-group LoSCADA-vlan103 out
end

IN the following example, I would have thought that I would have to write the ACL so that the source was anything in the 192.168.103 network, and that any thing external would be the destination in the ACL.  But when I examine the associated ACL i see on this device( ACL LoSCADA-vlan103), this seems inverted.


For some reason, I am not understanding the direction of traffic flow


Thanks

Kevin

Correct Answer by lamav about 7 years 5 days ago

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.


An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Correct Answer by Edison Ortiz about 7 years 5 days ago

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0


Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.


If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
Correct Answer
Edison Ortiz Fri, 02/19/2010 - 08:59

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0


Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.


If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

Correct Answer
lamav Fri, 02/19/2010 - 09:18

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.


An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Actions

This Discussion