I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -
ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.
egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.
Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.
It's basically saying the same thing ie.
inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.
outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.