Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

ACL Direcition on VLAN

On a vlan interface, what direction is "In"?

I'm trying to create a filter on my VoIP VLAN which will limit the devices allowed to communicate to that VLAN. Not filtering traffic leaving that subnet.

Interface vlan800

ip address 10.10.112.1 255.255.252.0

ip access-group voip-filter in

interface vlan101

ip address 192.168.101.0 255.255.255.0

So, in the above config snippet....Would the "IN" direction be from the 101 Subnet to the Voip Subnet?

or is "IN" be devices on VLAN800 talking through the 112.1 gateway? I applied an ACL to the vlan in production and got some interesting results.

Setup is two 4507Rs with the same VLAN config in HSRP configuration. I was seeing traffic denied going to a server it should be goint to. Here's the ACL I used:

ip access-list ext voip-filter

description Allow VoIP to VoIP communications to branches
permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
description Permit Applicable VoIP servers / services not on the VoIP Subnet
permit ip host 192.168.101.21 10.10.112.0 0.0.3.255
permit ip host 192.168.101.23 10.10.112.0 0.0.3.255
permit ip host 192.168.101.28 10.10.112.0 0.0.3.255
permit ip host 192.168.101.29 10.10.112.0 0.0.3.255
permit ip host 192.168.101.30 10.10.112.0 0.0.3.255
permit ip host 192.168.101.31 10.10.112.0 0.0.3.255
permit ip host 192.168.102.129 10.10.112.0 0.0.3.255
description Permit SNMP and ICMP for SW Server
permit udp host 192.168.59.243 10.10.112.0 0.0.3.255 eq snmp
permit icmp host 192.168.59.243 10.10.112.0 0.0.3.255
permit udp host 192.168.59.243 10.10.112.0 0.0.3.255 eq 137
description Permit Management from the 110 Network
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 3389
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq ftp-data
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq ftp
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 22
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq telnet
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq www
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 443
permit tcp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq 9090
permit udp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255 eq snmp
permit icmp 192.168.110.0 0.0.0.255 10.10.112.0 0.0.3.255
description Allow return traffic from connections initiated from VoIP Subnets
permit tcp 192.168.0.0 0.0.255.255 10.10.112.0 0.0.3.255 established
deny ip any any log

An example i was seeing of blocked traffic was SNMP (udp 161) from a 10.10.112.x device to the management server (192.168.59.243). The management server is explicetly allowed, but why wouldn't the device be allowed to talk back?

By applying the ACL to the VLAN, do I need to account for intra-VLAN traffic as well? That is why i'm confused. Which direction is "In" on a VLAN interface... Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ACL Direcition on VLAN

Inbound on a vlan interface is for traffic coming FROM clients on the vlan going to a remote destination. Note this includes traffic initiated from the clients but also return traffic from the clients to any remote destination ie. all traffic from clients.

Outbound on a vlan interface is for traffic going TO clients on the vlan coming from a remote destination. It also includes return traffic from a remote destination for connections initiated from the client.

So if you are trying to filter traffic on that vlan then you acl should be applied outbound.

Jon

Cisco Employee

Re: ACL Direcition on VLAN

Hello,

With regard to the VLAN interfaces, the "in" keyword signifies any traffic

that is received by the VLAN interface. This could be from hosts within the

VLAN or from other layer 3 interfaces. Upon inspecting your configuration, I

see that the SNMP traffic is originated from 10.10.112.x device to the

management server 192.168.59.243. In your access-list, you have not allowed

this traffic. The access-list should look like

permit udp 10.10.112.0 0.0.3.255 host 192.168.59.243 eq snmp

Regards,

NT

4 REPLIES
Hall of Fame Super Blue

Re: ACL Direcition on VLAN

Inbound on a vlan interface is for traffic coming FROM clients on the vlan going to a remote destination. Note this includes traffic initiated from the clients but also return traffic from the clients to any remote destination ie. all traffic from clients.

Outbound on a vlan interface is for traffic going TO clients on the vlan coming from a remote destination. It also includes return traffic from a remote destination for connections initiated from the client.

So if you are trying to filter traffic on that vlan then you acl should be applied outbound.

Jon

Cisco Employee

Re: ACL Direcition on VLAN

Hello,

With regard to the VLAN interfaces, the "in" keyword signifies any traffic

that is received by the VLAN interface. This could be from hosts within the

VLAN or from other layer 3 interfaces. Upon inspecting your configuration, I

see that the SNMP traffic is originated from 10.10.112.x device to the

management server 192.168.59.243. In your access-list, you have not allowed

this traffic. The access-list should look like

permit udp 10.10.112.0 0.0.3.255 host 192.168.59.243 eq snmp

Regards,

NT

Bronze

Re: ACL Direcition on VLAN

Ok, so if I'm understanding correctly, when it comes to an SVI, "IN" is any traffic recieved by the SVI, whether it orignates from a remote IP (in my case, not 10.10.112.x/23) or from the vlan (10.10.112.x/23). So by applying the ACL "In" I need to account for traffic in both directions. Thanks everyone.

Hall of Fame Super Blue

Re: ACL Direcition on VLAN

rtjensen4 wrote:

Ok, so if I'm understanding correctly, when it comes to an SVI, "IN" is any traffic recieved by the SVI, whether it orignates from a remote IP (in my case, not 10.10.112.x/23) or from the vlan (10.10.112.x/23). So by applying the ACL "In" I need to account for traffic in both directions. Thanks everyone.

Just to clarify. Inbound the source IP address will always be an ip address from within that vlan. The connection could have been initiated from a client on that vlan or it could be return traffic from a connection initiated from a remote IP but the source IP will always be from the client on that vlan.

This is the main issue with stateless acls ie. you have to not only account for traffic initiated from your clients but also traffic sent as part of a connection initiated remotely. This is where the following can help -

1) the "established" keyword which allows TCP traffic through if the connection has been established (TCP only though)

2) reflexive access-lists which automatically allow the return traffic if you have allowed the outbound connection

3) stateful firewalls which take care of the return traffic for you

Jon

370
Views
0
Helpful
4
Replies
CreatePlease to create content