09-13-2010 06:13 AM - edited 03-06-2019 12:56 PM
On a vlan interface, what direction is "In"?
I'm trying to create a filter on my VoIP VLAN which will limit the devices allowed to communicate to that VLAN. Not filtering traffic leaving that subnet.
Interface vlan800
ip address 10.10.112.1 255.255.252.0
ip access-group voip-filter in
interface vlan101
ip address 192.168.101.0 255.255.255.0
So, in the above config snippet....Would the "IN" direction be from the 101 Subnet to the Voip Subnet?
or is "IN" be devices on VLAN800 talking through the 112.1 gateway? I applied an ACL to the vlan in production and got some interesting results.
Setup is two 4507Rs with the same VLAN config in HSRP configuration. I was seeing traffic denied going to a server it should be goint to. Here's the ACL I used:
ip access-list ext voip-filter
description Allow VoIP to VoIP communications to branches
permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
description Permit Applicable VoIP servers / services not on the VoIP Subnet
permit ip host 192.168.101.21 10.10.112.0 0.0.3.255
permit ip host 192.168.101.23 10.10.112.0 0.0.3.255
permit ip host 192.168.101.28 10.10.112.0 0.0.3.255
permit ip host 192.168.101.29 10.10.112.0 0.0.3.255
permit ip host 192.168.101.30 10.10.112.0 0.0.3.255
permit ip host 192.168.101.31 10.10.112.0 0.0.3.255
permit ip host 192.168.102.129 10.10.112.0 0.0.3.255
description Permit SNMP and ICMP for SW Server
permit udp host 192.168.59.243 10.10.112.0 0.0.3.255 eq snmp
permit icmp host 192.168.59.243 10.10.112.0 0.0.3.255
permit udp host 192.168.59.243 10.10.112.0 0.0.3.255 eq 137
description Permit Management from the 110 Network
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 3389
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq ftp-data
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq ftp
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 22
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq telnet
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq www
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 443
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 9090
permit udp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq snmp
permit icmp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255
description Allow return traffic from connections initiated from VoIP Subnets
permit tcp 192.168.0.0 0.0.255.255 10.10.112.0 0.0.3.255 established
deny ip any any log
An example i was seeing of blocked traffic was SNMP (udp 161) from a 10.10.112.x device to the management server (192.168.59.243). The management server is explicetly allowed, but why wouldn't the device be allowed to talk back?
By applying the ACL to the VLAN, do I need to account for intra-VLAN traffic as well? That is why i'm confused. Which direction is "In" on a VLAN interface... Thanks.
Solved! Go to Solution.
09-13-2010 06:22 AM
Inbound on a vlan interface is for traffic coming FROM clients on the vlan going to a remote destination. Note this includes traffic initiated from the clients but also return traffic from the clients to any remote destination ie. all traffic from clients.
Outbound on a vlan interface is for traffic going TO clients on the vlan coming from a remote destination. It also includes return traffic from a remote destination for connections initiated from the client.
So if you are trying to filter traffic on that vlan then you acl should be applied outbound.
Jon
09-13-2010 06:22 AM
Hello,
With regard to the VLAN interfaces, the "in" keyword signifies any traffic
that is received by the VLAN interface. This could be from hosts within the
VLAN or from other layer 3 interfaces. Upon inspecting your configuration, I
see that the SNMP traffic is originated from 10.10.112.x device to the
management server 192.168.59.243. In your access-list, you have not allowed
this traffic. The access-list should look like
permit udp 10.10.112.0 0.0.3.255 host 192.168.59.243 eq snmp
Regards,
NT
09-13-2010 06:22 AM
Inbound on a vlan interface is for traffic coming FROM clients on the vlan going to a remote destination. Note this includes traffic initiated from the clients but also return traffic from the clients to any remote destination ie. all traffic from clients.
Outbound on a vlan interface is for traffic going TO clients on the vlan coming from a remote destination. It also includes return traffic from a remote destination for connections initiated from the client.
So if you are trying to filter traffic on that vlan then you acl should be applied outbound.
Jon
09-13-2010 06:22 AM
Hello,
With regard to the VLAN interfaces, the "in" keyword signifies any traffic
that is received by the VLAN interface. This could be from hosts within the
VLAN or from other layer 3 interfaces. Upon inspecting your configuration, I
see that the SNMP traffic is originated from 10.10.112.x device to the
management server 192.168.59.243. In your access-list, you have not allowed
this traffic. The access-list should look like
permit udp 10.10.112.0 0.0.3.255 host 192.168.59.243 eq snmp
Regards,
NT
09-13-2010 06:39 AM
Ok, so if I'm understanding correctly, when it comes to an SVI, "IN" is any traffic recieved by the SVI, whether it orignates from a remote IP (in my case, not 10.10.112.x/23) or from the vlan (10.10.112.x/23). So by applying the ACL "In" I need to account for traffic in both directions. Thanks everyone.
09-13-2010 06:44 AM
rtjensen4 wrote:
Ok, so if I'm understanding correctly, when it comes to an SVI, "IN" is any traffic recieved by the SVI, whether it orignates from a remote IP (in my case, not 10.10.112.x/23) or from the vlan (10.10.112.x/23). So by applying the ACL "In" I need to account for traffic in both directions. Thanks everyone.
Just to clarify. Inbound the source IP address will always be an ip address from within that vlan. The connection could have been initiated from a client on that vlan or it could be return traffic from a connection initiated from a remote IP but the source IP will always be from the client on that vlan.
This is the main issue with stateless acls ie. you have to not only account for traffic initiated from your clients but also traffic sent as part of a connection initiated remotely. This is where the following can help -
1) the "established" keyword which allows TCP traffic through if the connection has been established (TCP only though)
2) reflexive access-lists which automatically allow the return traffic if you have allowed the outbound connection
3) stateful firewalls which take care of the return traffic for you
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide