acl issue in L3 Switch SVI

Answered Question
Jul 17th, 2011

HI

I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.

I have a L3 switch with 3 vlans

Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)

Vlan 10 - Server-Vlan - 172.16.10.1/24

Vlan 11 - User-Vlan - 172.16.11.1/24

I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.

I want all in my network to access any thing outside the network.

i tried to configure acl as below-

!

access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255

!

int vlan 1

ip add 172.16.1.1 255.255.255.0

ip access-group 101 in

!

When i am trying from outisde (172.16.100.1) -

Ping 172.16.10.1 - Good (expected)

Ping 172.16.11.1 - NOT (expected)

When I am trying to ping from inside Server-Vlan (172.16.10.1)

Ping 172.16.100.1 - Good

The problem -

When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply

what is wrong happening here in this scenario?

regards

Sunny

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 2 years 9 months ago

It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -

ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.

egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.

Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.

Jon

Correct Answer by Jon Marshall about 2 years 9 months ago

Sunny

It's basically saying the same thing ie.

inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.

outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (2 ratings)
andrew.prince@m... Sun, 07/17/2011 - 01:44

For what you trying to do, you need two acls. To ping from the outside in, your cal needs to be placed on the outbound dir. For the inside to the outside, you also need to amend the cal to allow the return icmp.

Sent from Cisco Technical Support iPad App

Jac Sam Sun, 07/17/2011 - 02:35

HI Andrew,

Thanks for the reply.

below is the config, but still it is not filtering, i can ping from 172.16.100.1 (outside) to 172.16.11.1 (User-Vlan)

!
interface Loopback0
description server
ip address 172.16.10.1 255.255.255.0
!        
interface Loopback1
description users
ip address 172.16.11.1 255.255.255.0
ip access-group 111 in
ip access-group 112 out
!
interface Vlan1
ip address 172.16.69.254 255.255.255.0
!        

ip route 0.0.0.0 0.0.0.0 172.16.69.1
!        
!        
!

access-list 111 permit ip 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 112 deny   icmp 172.16.100.0 0.0.0.255 172.16.11.0 0.0.0.255 

i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?

Jon Marshall Sun, 07/17/2011 - 05:34

i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?

Yes, i suspect this is your problem. Basically for L3 SVIs the traffic direction works as follows -

eg. you have a vlan 10 with a L3 SVI for vlan ie.

int vlan 10

ip address x.x.x.x

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10

Jon

Jac Sam Sun, 07/17/2011 - 06:16

Hai Jon,

i was reading few of your great posts tounderstand the case.

just to clarify -

"int vlan 10

ip address x.x.x.x

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10

"

int vlan 10

ip address 172.16.10.1 255.255.255.0

ip access-group 101 in

ip access-group 102 out

ip access-list extended 101 permit ip 172.16.10.0 0.0.0.255 172.16.100.0 0.0.0.255

ip access-list extended 102 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10 - means -

the source address would be 172.16.10.x/24 ONLY and des can be any x.x.x.x

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10 - means -

the src can be any x.x.x.x and destination should be 172.16.10.x/24 ONLY

is that correct? please rectify if i am wrong.

thanks

Sunny

Jac Sam Sun, 07/17/2011 - 06:48

HI Jon

billyguthrie

8 posts since Oct 3, 2009

How are ACLs filtered applied to a SVI

Oct 3, 2009 6:14 PM

I was reading the above post, regarding this - quote

"If you apply an inbound ACL to the SVI, that will filter traffic received (ingress) from within the vlan and if you apply an outbound ACL to the SVI, that will filter traffic that is transmitted out the VLAN (egress)"

IN means - coming in to the interface

OUT means - going out from that interface !!!!

Ingress (INBOUND)----> INT Vlan 10 -------> Egress (OUTBOUND)



which means if i apply inbound or outbound the traffic you can controll only the source subnet that belongs to the VLAN?



But i understood from your input and which i mentioned the previous post, that it is going out to that interface



Ingress (INBOUND) -----> INT Vlan 10 <------ Egress (OUTBOUND)



correct? please.... need your input again.



regards

Sunny

Correct Answer
Jon Marshall Sun, 07/17/2011 - 07:00

Sunny

It's basically saying the same thing ie.

inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.

outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.

Jon

Jac Sam Sun, 07/17/2011 - 07:00

Hi Jon

What is the case incase if it is a Router Physical Interface OR an L3 Switch port with command "no switch-port" issued?

Thanks and Regards

Sunny

Correct Answer
Jon Marshall Sun, 07/17/2011 - 07:07

It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -

ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.

egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.

Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.

Jon

davy.timmermans Wed, 07/27/2011 - 05:48

I don't know if I say the same as Jon but I thought it was working like this

ACL on SVI

inbound= from SVI to switch

outbound = from switch to SVI

You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch

Jon Marshall Wed, 07/27/2011 - 06:21

Davy

You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch

I don't think you have this right.

Inbound traffic on an SVI for vlan 10 would mean traffic was entering the switch via a switchport in vlan 10 and going to the SVI.

Outbound traffic on an SVI would mean traffic had entered the switch on a switchport in a different vlan and was being sent out onto vlan 10.

Jon

Jac Sam Wed, 07/27/2011 - 06:35

Hi Jon,

In this case the scenario what i was discussing in the first post is not going to work right?

i can not filter a traffic coming from an SVI interface of vlan 10 (ip add 172.16.10.x/24) OR vlan 11 (ip address 172.16.11.x/24) on the SVI interface of vlan 1 (ip address172.16.1.x/24)

Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)

Vlan 10 - Server-Vlan - 172.16.10.1/24

Vlan 11 - User-Vlan - 172.16.11.1/24

please correct if i am wrong? also if i am right what is the solution for this issue? If i make the uplink port to a no switchport interface, rather than the memeber port of a vlan, will it work?

regards

Sunny

Jon Marshall Wed, 07/27/2011 - 06:52

Sunny

Making it a routed port wouldn't help.

Depends what you wanted to do. You can filter vlan 10 and vlan 11 traffic on the vlan 1 interface by applying an acl outbound on the vlan 1 interface. That would in effect filter vlan 10 & 11 traffic that was routed out of the vlan 1 interface.

But the recommendation is always to filter as close as possible to the source so you would actually be better using inbound acls on the vlan 10 and vlan 11 L3 interfaces.

If i have misunderstood your question please let me know.

Jon

Jac Sam Wed, 07/27/2011 - 07:40

Hi Jon,

Thanks a lot for the update. I was trying it on the dynamips. I am waiting for the devices to test it on, i will check the scenario and will comes back to you. Thanks  alot again, sure you are always great help to me in troubles.

Thanks & Regards

Sunny

Jac Sam Mon, 09/26/2011 - 00:06

Hi Jon,

I was working on the ACL for the above issue. i have found the below thigs-

int vlan 1

des Routing vlan

ip 172.16.1.1 255.255.255.0

ip access-group 110 in

!

int vlan 10

des server vlan

ip 172.16.10.1 255.255.255.0

!

int vlan 11

des Users

ip add 172.16.11.1 255.255.255.0

ip access-group 100 in

!

acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.

-

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255

....

And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.

access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255

access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255

access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255

access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255

...

what i understood,

for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.

for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.

But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-

If i call inbound means the traffic coming in to that vlan initerface from Outside

If i call outbound means the traffic that going out through that interface.

so i ddint call any acl in outbound direction as of now.

Dear Jon, thanks for taking time to describing the scenario in detail before.

please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!

Thanks and Regards

Suuny

Actions

Login or Register to take actions

This Discussion

Posted July 17, 2011 at 12:57 AM
Stats:
Replies:16 Avg. Rating:
Views:2035 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard