in / out up/down

Unanswered Question

im quite confused on terminology

I have a core switch with all of my vlans identified


I have satelite switches with specific ports for the vlans identified for workstation / servers etc


Im writing ACLS that need to be on OUTGOING INTERFACE Traffic

I wrote the following ACL

access-list 101 Permit IP 192.168.2.0 (vlan 2) 0.0.0.255 192.168.3.0 0.0.0.255 VLAN 3)

access-list 101 deny any any


Interface vlan 2:access-gorup 101 out

however, PC's on vlan 2 (192.168.2.x) can ping everything the acl does not seem to be working


When i make the change to: access-group 101 in

everything works as expected. The customer has requested all traffic be filtered on outbound traffic. However I cant get acls to work outbound on the interfaces from devices within that interface. Am I missing soemthing obvious?


as always, thanks for the help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
handoko.wiyanto Fri, 11/10/2006 - 06:58
User Badges:

Hi there,

the acl will not working when you put it in outbond. why?

because the outbond traffic, means coming from other vlan, so

access-list 101 Permit IP 192.168.2.0 (vlan 2) 0.0.0.255 192.168.3.0 0.0.0.255 VLAN 3)

will never be a match condition for this, because the ip packet which comes out to vlan 2 will have destination address 192.168.2.0, not source address 192.168.2.0


if the acl dont match in this statement, acl will go trough the next line, which is access-list 101 deny any any

basically this line is not useful, because in acl, if there is no match condition the packet will be denied by default (you can imagine that at the end line of the acl statement, there lies implicit deny any any)


so what you can do is, block the ip traffic which is coming from other vlan which the destination is vlan two,

for example you have vlan 3,

so you can create

access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip any any

and then go to interface vlan 3

access-group 103 out


this step is the same if you have the other vlan.


the other way that you can do, is by changing your acl 101,

access-list 101 deny ip x.x.x.x y.y.y.y (the other vlan you put it here) 192.168.2.0 0.0.0.255

and the last line, dont forget to put permit ip any any

continue this command for every vlan you want to filter.

and then appy as outbond in interface vlan 2,

Interface vlan 2:access-gorup 101 out


hope this help

:)

Richard Burts Fri, 11/10/2006 - 08:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Erick


I sympathesize with your confusion. I find it useful to think about it in this way: the in and out of access list assignment are from the perspective of the router (or layer 3 switch). Outbound is from the router out to the devices connected on that interface. Inbound is incoming from the devices on the subnet into the interface. And it is also helpful to be clear that in extended access lists the first address and mask are the source and the second address and mask are the destination.


So in your particular situation if you build an access list to apply on interface VLAN 2 and VLAN 2 addresses are in the source address field then the access list must be applied inbound.


It may also be helpful to consider the perspective of various parties in this. Your customer may say that he wants outbound filtering (from the perspective of the end stations who are sending the traffic outbound). But from the perspective of the router that may be accomplished with an inbound filter.


One other point: your post says that when access list 101 was applied out it allowed PCs to ping anywhere. I find that surprising because with the access list applied out nothing would have matched the first line with a permit and everything would have matched the second line which denies everything. I would not think that any traffic would get through.


HTH


Rick

Actions

This Discussion