Access-list on SVI interface

Unanswered Question
Apr 23rd, 2012

Hi guys,

I would need your advice on a point not clear for me

I make a quick search on this forum, however I didn't find an answer (but I am almost sure this issue was discussed already...)

My concern is what could match an acces-list configured on a swich SVI interface ?

I understand which traffic is matching inbound access-list (traffic destined to this IP), but not which kind of traffic could match an outbound one (no traffic crosses that interface, and the traffic initiated from that interface by the router will not match neither)

Do you have an answer for this ?

Thanks in advance for your help !!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
g.fabre Mon, 04/23/2012 - 12:37

I found the answer myself 2 minutes after posting

the transit traffic routed through that interface will match !

sorry for spamming the forum... let's say this is just my contribution for people having the same question

nap.deguzman Mon, 01/19/2015 - 08:54

Hi g.fabre,

 

Can you please send me the link where you got the answer to this question? This is also not clear to me and cannot find any thread that could lead me to a concrete answer. Thank you so much in advance!

Jon Marshall Mon, 01/19/2015 - 09:03

Which bit is not clear ?

Jon

nap.deguzman Mon, 01/19/2015 - 09:05

Thanks for the reply Jon. This particular statement.

 

the transit traffic routed through that interface will match

Jon Marshall Mon, 01/19/2015 - 09:16

Okay lets cover both situations.

An inbound acl applies to traffic coming from a client in that vlan.

An outbound acl applies to traffic going to a client in that vlan.

So

C1 -> int vlan 3 (SW1) -> R1 -> R2 -> S1

C1 is a client and S1 is a web server.

When C1 sends traffic to S1 if there is an acl applied inbound on vlan 3 then it will be checked to see if the traffic is allowed.

If there is an outbound acl on the vlan 3 interface it won't be checked.

When S1 sends traffic back to C1 if there is an outbound acl on the vlan 3 interface it will be checked to see if that traffic is allowed.

If there is an inbound acl applied it won't be checked.

So it is all to do with the direction of the traffic in relation to the L3 vlan interface (SVI).

You will probably see more acls applied inbound because it best practice to filter traffic as close to the source as possible but that is always the case.

Hope that makes sense.

Feel free to ask for further clarification if needed.

Jon

nap.deguzman Mon, 01/19/2015 - 09:41

Thanks again Jon, I am sorry but it is still not so clear to me.  So you said:

 

When S1 sends traffic back to C1 if there is an outbound acl on the vlan 3 interface it will be checked to see if that traffic is allowed.

If there is an inbound acl applied it won't be checked.

So it is all to do with the direction of the traffic in relation to the L3 vlan interface (SVI).

 

My question is, why would the reply from S1 be checked against the outbound acl where it should still be checked as inbound to VLAN 3? Is it all about the direction of the traffic reference to the SVI int or is it about whether the host is inside the VLAN or outside the VLAN?

 

I have this config and I am confuse on how the out ACL is matching the traffic destined to VLAN 8.

 

interface Vlan8
 ip address 172.16.8.1 255.255.255.0
 ip access-group VLAN8ACL_IN in
 ip access-group VLAN8ACL_OUT out


ip access-list extended VLAN8ACL_IN
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit ip 172.16.8.0 0.0.0.255 host 224.0.0.2
 permit ip 172.16.8.0 0.0.0.255 host 224.0.0.10
 permit ip 172.16.8.0 0.0.0.255 host 224.0.0.13
 permit ip 172.16.8.0 0.0.0.255 host 224.0.0.22
 permit ip 172.16.8.0 0.0.0.255 host 224.0.0.252
 


ip access-list extended VLAN8ACL_OUT
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit ip host 224.0.0.2 172.16.8.0 0.0.0.255
 permit ip host 224.0.0.10 172.16.8.0 0.0.0.255
 permit ip host 224.0.0.13 172.16.8.0 0.0.0.255
 permit ip host 224.0.0.22 172.16.8.0 0.0.0.255
 permit ip host 224.0.0.252 172.16.8.0 0.0.0.255
 permit ip host 172.16.2.12 172.16.8.0 0.0.0.255
 permit ip host 172.19.2.222 172.16.8.0 0.0.0.255
 permit ip host 172.17.2.205 172.16.8.0 0.0.0.255
 permit ip host 172.18.2.25 172.16.8.0 0.0.0.255
 permit ip host 172.18.2.125 172.16.8.0 0.0.0.255
 permit ip host 172.18.2.126 172.16.8.0 0.0.0.255
 permit ip host 172.18.2.127 172.16.8.0 0.0.0.255
 permit ip host 172.19.2.30 172.16.8.0 0.0.0.255

Jon Marshall Mon, 01/19/2015 - 09:57

My question is, why would the reply from S1 be checked against the outbound acl where it should still be checked as inbound to VLAN 3?

It is not inbound to vlan 3.

You need to think about it in terms of the SVI (vlan interface) and not the actual vlan.

So inbound means traffic coming to the SVI ie. traffic from clients in that vlan.

Outbound means traffic going from the SVI ie. traffic going to clients in that vlan.

In your configuration the acl applied outbound on vlan 8 will have destination IPs in the vlan 8 IP subnet ie. 172.16.8.0/24 because it is filtering traffic that is going to devices in vlan 8.

The inbound acl will have source IPs from the vlan 8 IP subnet because it is filtering packets coming from devices in vlan 8 and going somewhere else.

As a side note apart from your DHCP entries in your inbound acl the other lines are for specific multicast addresses and those particular addresses are not L3 routed anyway so I'm not sure what they are doing there unless you are running dual switches with HSRP etc but your SVI configuration doesn't show that.

Again if it's not clear please come back with your queries.

Jon

 

nap.deguzman Mon, 01/19/2015 - 10:11

Thanks again Jon, I think I just need to digest what you said. I think I am comparing the SVI interface to a physical interface of a router. If you know any links from Cisco site, appreciate if you can share it. I appreciate all your help, thank you so much!

nap.deguzman Mon, 01/19/2015 - 12:15

Hi Jon

 

I got it now, I am now wondering why I confuse myself with it hehe...thank you so much again for your help!

Richard Burts Mon, 04/23/2012 - 12:40

The logical operation of access list on SVI is quite similar to the logical operation of the access list on a physical interface. If you assign an access list as outbound on an SVI then it will examine traffic that has come through the switch and is being sent out onto the VLAN/subnet of the SVI.

So if you had this as an example

interface vlan 3

ip address 10.10.10.1 255.255.255.0

ip access-group 101 out

then access list 101 will examine traffic coming through the switch and being forwarded out onto VLAN 3 and subnet 10.10.10.0.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted April 23, 2012 at 12:31 PM
Stats:
Replies:11 Overall Rating:
Views:2109 Votes:0
Shares:0
Tags: No tags.