cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10713
Views
10
Helpful
4
Replies

[Access-lists on vlan interface] - need clarification

NicolasDemonty
Level 1
Level 1

Hi all,

I'm really sorry to ask this question because there are already a lot of answers on the web but I have a doubt about the command "ip access-group in" configured on a vlan interface.

Indeed, I'm wondering what trafic will be the ACL applied on. All the answers I've found explain that the trafic FROM the vlan will be filtered because we must see the interface vlan just an ohter interface. So the "in" keyword specifies that it is the trafic to the interface (Traffic from a host in the vlan to the interface vlan, in the goal to go outside for example) but I have a doubt and a need of clarification.

If I configure this for example :

interface vlan 100

ip address 192.60.100.1 255.255.255.0

ip access-group 101 in

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip 192.60.100.0 0.0.0.255 any

access-list 101 permit ip 192.53.107.0 0.0.0.255 any

What is the behavior ?

10.0.0.0 and 192.53.107.0 are other vlans, outside of the router for 192.53 and in the same router or 10.0.0.0. If we consider that the traffic FROM vlan 100 will be filtered and don't understand why we added the 10.0.0.0 and 192.53.107.0 as sources.

Or is these lines interpreted as follow :

- traffic from vlan 100 to outside is permitted

- traffic from 10.0.0.0 and 192.53.107.0 TO hosts in vlan 100 are also permitted because it come from outside but try to go IN the interface vlan 100

???

Thanks a lot in advance

Nicolas

4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

Hi,

your understanging is correct: only traffic from hosts in this Vlan  will be either permitted or denied  or hosts in a subnet downstream on another device which enter the device in the corresponding SVI to be routed. of course this is if these subnets are the source in the packet as they are configured as the source in the ACL you provided.

But if these other subnets are destiantion subnets then the extra statements on the ACl won't do nothing( they will never get a hit).

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

hello All,

 

Can i configure 2 access Group on one L3 vlan interface ?

Like this

Example

 

interface Vlan803

description *** Bladecenter Server Vlan ***

ip address 10.17.51.254 255.255.255.128

ip access-group sql04-filter out

ip access-group WCS-filter out

ip helper-address 10.17.1.255

ip directed-broadcast

hi Nicolas,

hope you are fine. first of all do not be sorry at all, we all did these questions to learn!! You are not the first and for sure not the last!!!

Listen, an ACL is defined as access control list and the question is what does it control?

if you write

access-list 101 permit ip 10.0.0.0 0.0.0.255

you are not filtering the class 10.0.0.0, but manipulating the traffic coming from the subnet 10.0.0.0/24 towards any destination. So if a computer with an ip address of 10.0.0.1/24 is trying to contact you from the opposite side (like the internet or an external network) it can be successful.

With your ACL essentially you are telling to the router:

interface vlan 100
ip address 192.60.100.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any ! permit the ip traffic coming from 10.0.0.0/24 to any host
access-list 101 permit ip 192.60.100.0 0.0.0.255 any ! permit the ip traffic coming from 192.60.100.0/24 to any host
access-list 101 permit ip 192.53.107.0 0.0.0.255 any ! permit the ip traffic coming from 192.53.107.0/24 to any host

access-list 101 deny any any (implicit deny) ! deny all the rest of the IP traffic in both the directions

Now where is the point to use

ip access-group 101 in|out ?

The point is that to be more granular in your control you can apply these rules to only determined interfaces rather than to the entire routing process.

this behaviour can be justified by many reasons amon the ones i would say it makes sense to remember the DMZ( demilitarised Zone) where unidirectional traffic can be very important from a security point of view to avoid to share the back-end (sensible) information with a common internet user for example.

i would say that it is worth even to check why we provide in|out as choice. Maybe a detail, but a very important difference. Imagine you are implementing a core network and this core network is having a single (simple case) BGP speaker with full routing table (the whole internet).. what would be the use of your acess-list to block unauthorised accesses?

ip access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

ip access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

ip access-list 101 deny ip (essentially all the RFC1918)

in this case you want to deny private ip addresses comin from the internet (where for sake of example we assume all the IP to be public) into your infrastructure.

here makes sense to filter the data traffic flows coming IN rather than the ones going out of your infrastructure. So in on your interface facing your SP you will type:

conf t

int g0/0

ip 1.1.1.1 255.255.255.252

ip access-group 101 in ! all the traffic that will have a private IP address will be filtered here before getting in your enterprise.

The out option instead makes sense if you want to filter some traffic going out the serial interface 0/0 but you still want to normally route this traffic via another interface.

in this scenario imagine a packet coming in Eth1, normally undergoing a routing process (OSPF,EIGRP,Static routing, IS-IS, RIP etc..) and not allowed to gou out thruogh the serial0/0

int serial0/0

ip address 2.2.2.2 255.255.255.252

ip access-group 101 out

I hope being clear a little bit , by the way it will be very helpful this link:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Take Care

Alessio

Thanks you two !

It is very helpful and it is now clear for me

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: