07-17-2011 12:57 AM - edited 03-07-2019 01:15 AM
HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
!
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
!
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
!
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
Sunny
Solved! Go to Solution.
07-17-2011 07:00 AM
Sunny
It's basically saying the same thing ie.
inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.
outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.
Jon
07-17-2011 07:07 AM
It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -
ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.
egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.
Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.
Jon
07-17-2011 01:44 AM
For what you trying to do, you need two acls. To ping from the outside in, your cal needs to be placed on the outbound dir. For the inside to the outside, you also need to amend the cal to allow the return icmp.
Sent from Cisco Technical Support iPad App
07-17-2011 02:35 AM
HI Andrew,
Thanks for the reply.
below is the config, but still it is not filtering, i can ping from 172.16.100.1 (outside) to 172.16.11.1 (User-Vlan)
!
interface Loopback0
description server
ip address 172.16.10.1 255.255.255.0
!
interface Loopback1
description users
ip address 172.16.11.1 255.255.255.0
ip access-group 111 in
ip access-group 112 out
!
interface Vlan1
ip address 172.16.69.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.69.1
!
!
!
access-list 111 permit ip 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 112 deny icmp 172.16.100.0 0.0.0.255 172.16.11.0 0.0.0.255
i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?
07-17-2011 05:34 AM
i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?
Yes, i suspect this is your problem. Basically for L3 SVIs the traffic direction works as follows -
eg. you have a vlan 10 with a L3 SVI for vlan ie.
int vlan 10
ip address x.x.x.x
1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10
2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10
Jon
07-17-2011 06:16 AM
Hai Jon,
i was reading few of your great posts tounderstand the case.
just to clarify -
"int vlan 10
ip address x.x.x.x
1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10
2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10
"
int vlan 10
ip address 172.16.10.1 255.255.255.0
ip access-group 101 in
ip access-group 102 out
ip access-list extended 101 permit ip 172.16.10.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list extended 102 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10 - means -
the source address would be 172.16.10.x/24 ONLY and des can be any x.x.x.x
2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10 - means -
the src can be any x.x.x.x and destination should be 172.16.10.x/24 ONLY
is that correct? please rectify if i am wrong.
thanks
Sunny
07-17-2011 06:26 AM
Sunny
Yes you are right and have described it perfectly.
Jon
07-17-2011 06:48 AM
HI Jon
billyguthrie
8 posts since Oct 3, 2009
How are ACLs filtered applied to a SVI
Oct 3, 2009 6:14 PM
I was reading the above post, regarding this - quote
"If you apply an inbound ACL to the SVI, that will filter traffic received (ingress) from within the vlan and if you apply an outbound ACL to the SVI, that will filter traffic that is transmitted out the VLAN (egress)"
IN means - coming in to the interface
OUT means - going out from that interface !!!!
Ingress (INBOUND)----> INT Vlan 10 -------> Egress (OUTBOUND)
which means if i apply inbound or outbound the traffic you can controll only the source subnet that belongs to the VLAN?
But i understood from your input and which i mentioned the previous post, that it is going out to that interface
Ingress (INBOUND) -----> INT Vlan 10 <------ Egress (OUTBOUND)
correct? please.... need your input again.
regards
Sunny
07-17-2011 07:00 AM
Sunny
It's basically saying the same thing ie.
inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.
outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.
Jon
07-17-2011 07:00 AM
Hi Jon
What is the case incase if it is a Router Physical Interface OR an L3 Switch port with command "no switch-port" issued?
Thanks and Regards
Sunny
07-17-2011 07:07 AM
It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -
ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.
egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.
Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.
Jon
07-17-2011 07:15 AM
Thanks a lottt Jon...
regards
Sunny
07-27-2011 05:48 AM
I don't know if I say the same as Jon but I thought it was working like this
ACL on SVI
inbound= from SVI to switch
outbound = from switch to SVI
You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch
07-27-2011 06:21 AM
Davy
You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch
I don't think you have this right.
Inbound traffic on an SVI for vlan 10 would mean traffic was entering the switch via a switchport in vlan 10 and going to the SVI.
Outbound traffic on an SVI would mean traffic had entered the switch on a switchport in a different vlan and was being sent out onto vlan 10.
Jon
07-27-2011 06:35 AM
Hi Jon,
In this case the scenario what i was discussing in the first post is not going to work right?
i can not filter a traffic coming from an SVI interface of vlan 10 (ip add 172.16.10.x/24) OR vlan 11 (ip address 172.16.11.x/24) on the SVI interface of vlan 1 (ip address172.16.1.x/24)
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
please correct if i am wrong? also if i am right what is the solution for this issue? If i make the uplink port to a no switchport interface, rather than the memeber port of a vlan, will it work?
regards
Sunny
07-27-2011 06:52 AM
Sunny
Making it a routed port wouldn't help.
Depends what you wanted to do. You can filter vlan 10 and vlan 11 traffic on the vlan 1 interface by applying an acl outbound on the vlan 1 interface. That would in effect filter vlan 10 & 11 traffic that was routed out of the vlan 1 interface.
But the recommendation is always to filter as close as possible to the source so you would actually be better using inbound acls on the vlan 10 and vlan 11 L3 interfaces.
If i have misunderstood your question please let me know.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide