Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL direction when applied to a VLAN on a switch

This question concerns applying ACL's to interfaces vs. applying ACL's to VLAN's.

Lets use the following example:

Access list 100 permit tcp host 192.168.5.5 host 172.16.1.10 eq ftp

then on the router interface I apply this ACL INBOUND

so I say on the interface

access-group 100 in

This means in towards the router vs.  if I had used "out" meaning "out away from the router".

Now I want to understand this with respect to a VLAN

If I apply an ACL using Access-group on an OUT direction to a VLAN, does that not mean traffic that is leaving the VLAN?

Here is my issue:

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0
ip access-group LoSCADA-vlan103 out
end

IN the following example, I would have thought that I would have to write the ACL so that the source was anything in the 192.168.103 network, and that any thing external would be the destination in the ACL.  But when I examine the associated ACL i see on this device( ACL LoSCADA-vlan103), this seems inverted.

For some reason, I am not understanding the direction of traffic flow

Thanks

Kevin

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Bronze

Re: ACL direction when applied to a VLAN on a switch

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0

Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

Blue

Re: ACL direction when applied to a VLAN on a switch

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

3 REPLIES
Hall of Fame Super Bronze

Re: ACL direction when applied to a VLAN on a switch

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0

Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

Blue

Re: ACL direction when applied to a VLAN on a switch

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Hall of Fame Super Bronze

Re: ACL direction when applied to a VLAN on a switch

Isn't that what I said?

11176
Views
14
Helpful
3
Replies
CreatePlease to create content