cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3479
Views
0
Helpful
16
Replies

acl issue in L3 Switch SVI

Jacob Samuel
Level 1
Level 1

HI

I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.

I have a L3 switch with 3 vlans

Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)

Vlan 10 - Server-Vlan - 172.16.10.1/24

Vlan 11 - User-Vlan - 172.16.11.1/24

I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.

I want all in my network to access any thing outside the network.

i tried to configure acl as below-

!

access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255

!

int vlan 1

ip add 172.16.1.1 255.255.255.0

ip access-group 101 in

!

When i am trying from outisde (172.16.100.1) -

Ping 172.16.10.1 - Good (expected)

Ping 172.16.11.1 - NOT (expected)

When I am trying to ping from inside Server-Vlan (172.16.10.1)

Ping 172.16.100.1 - Good

The problem -

When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply

what is wrong happening here in this scenario?

regards

Sunny

2 Accepted Solutions

Accepted Solutions

Sunny

It's basically saying the same thing ie.

inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.

outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.

Jon

View solution in original post

It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -

ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.

egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.

Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.

Jon

View solution in original post

16 Replies 16

andrew.prince
Level 10
Level 10

For what you trying to do, you need two acls. To ping from the outside in, your cal needs to be placed on the outbound dir. For the inside to the outside, you also need to amend the cal to allow the return icmp.

Sent from Cisco Technical Support iPad App

HI Andrew,

Thanks for the reply.

below is the config, but still it is not filtering, i can ping from 172.16.100.1 (outside) to 172.16.11.1 (User-Vlan)

!
interface Loopback0
description server
ip address 172.16.10.1 255.255.255.0
!        
interface Loopback1
description users
ip address 172.16.11.1 255.255.255.0
ip access-group 111 in
ip access-group 112 out
!
interface Vlan1
ip address 172.16.69.254 255.255.255.0
!        

ip route 0.0.0.0 0.0.0.0 172.16.69.1
!        
!        
!

access-list 111 permit ip 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 112 deny   icmp 172.16.100.0 0.0.0.255 172.16.11.0 0.0.0.255 

i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?

i am testing it in dynamips, instead of vlan's i created some loopback interfaces, is there in any issues bcaz of this?

Yes, i suspect this is your problem. Basically for L3 SVIs the traffic direction works as follows -

eg. you have a vlan 10 with a L3 SVI for vlan ie.

int vlan 10

ip address x.x.x.x

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10

Jon

Hai Jon,

i was reading few of your great posts tounderstand the case.

just to clarify -

"int vlan 10

ip address x.x.x.x

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10

"

int vlan 10

ip address 172.16.10.1 255.255.255.0

ip access-group 101 in

ip access-group 102 out

ip access-list extended 101 permit ip 172.16.10.0 0.0.0.255 172.16.100.0 0.0.0.255

ip access-list extended 102 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255

1) an acl applied inbound to vlan 10 L3 SVI affects traffic coming from clients in vlan 10 - means -

the source address would be 172.16.10.x/24 ONLY and des can be any x.x.x.x

2) an acl applied outboind to vlan 10 L3 SVI affects traffic going to clients vlan 10 - means -

the src can be any x.x.x.x and destination should be 172.16.10.x/24 ONLY

is that correct? please rectify if i am wrong.

thanks

Sunny

Sunny

Yes you are right and have described it perfectly.

Jon

HI Jon

billyguthrie

8 posts since Oct 3, 2009

How are ACLs filtered applied to a SVI

Oct 3, 2009 6:14 PM

I was reading the above post, regarding this - quote

"If you apply an inbound ACL to the SVI, that will filter traffic received (ingress) from within the vlan and if you apply an outbound ACL to the SVI, that will filter traffic that is transmitted out the VLAN (egress)"

IN means - coming in to the interface

OUT means - going out from that interface !!!!

Ingress (INBOUND)----> INT Vlan 10 -------> Egress (OUTBOUND)

which means if i apply inbound or outbound the traffic you can controll only the source subnet that belongs to the VLAN?

But i understood from your input and which i mentioned the previous post, that it is going out to that interface

Ingress (INBOUND) -----> INT Vlan 10 <------ Egress (OUTBOUND)

correct? please.... need your input again.

regards

Sunny

Sunny

It's basically saying the same thing ie.

inbound on a vlan interface means traffic is arriving on that L3 vlan interface from clients in that vlan. So it is ingress on that vlan interface ie. coming in the inbound direction. So if you want to filter traffic coming from clients within that vlan you would use an inbound acl.

outbound on a vlan interface means traffic is leaving that L3 vlan interface ie. egress, traffic leaving the actual interface. So if you wanted to filter traffic going to clients in that vlan you would use an outbound acl.

Jon

Hi Jon

What is the case incase if it is a Router Physical Interface OR an L3 Switch port with command "no switch-port" issued?

Thanks and Regards

Sunny

It's not actually different, it's just that virtual interfaces tend to cause a bit more confusion. So for a physical interface -

ingress ie. inbound is for traffic arriving on that interface. So the packets will be coming from another device and will be arriving at the physical interface.

egress ie. outbound is for traffic leaving that interface. So with egress the traffic will have arrived on another interface and be switched through the router to the egress interface.

Which when you think about it is the same as L3 vlan interfaces ie. for the traffic to be sent out of the L3 vlan interface ie. outbound it must have come in from some other interface.

Jon

Thanks a lottt Jon...

regards

Sunny

I don't know if I say the same as Jon but I thought it was working like this

ACL on SVI

inbound= from SVI to switch

outbound = from switch to SVI

You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch

Davy

You've to consider the switch as point of view. SVI outbound traffic is inbound traffic for the switch

I don't think you have this right.

Inbound traffic on an SVI for vlan 10 would mean traffic was entering the switch via a switchport in vlan 10 and going to the SVI.

Outbound traffic on an SVI would mean traffic had entered the switch on a switchport in a different vlan and was being sent out onto vlan 10.

Jon

Hi Jon,

In this case the scenario what i was discussing in the first post is not going to work right?

i can not filter a traffic coming from an SVI interface of vlan 10 (ip add 172.16.10.x/24) OR vlan 11 (ip address 172.16.11.x/24) on the SVI interface of vlan 1 (ip address172.16.1.x/24)

Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)

Vlan 10 - Server-Vlan - 172.16.10.1/24

Vlan 11 - User-Vlan - 172.16.11.1/24

please correct if i am wrong? also if i am right what is the solution for this issue? If i make the uplink port to a no switchport interface, rather than the memeber port of a vlan, will it work?

regards

Sunny

Sunny

Making it a routed port wouldn't help.

Depends what you wanted to do. You can filter vlan 10 and vlan 11 traffic on the vlan 1 interface by applying an acl outbound on the vlan 1 interface. That would in effect filter vlan 10 & 11 traffic that was routed out of the vlan 1 interface.

But the recommendation is always to filter as close as possible to the source so you would actually be better using inbound acls on the vlan 10 and vlan 11 L3 interfaces.

If i have misunderstood your question please let me know.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco