Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35713
Views
20
Helpful
4
Replies

ACL direction when applied to a VLAN on a switch

Go to solution
Kevin Melton
Level 2
Level 2

‎02-19-2010 08:43 AM - edited ‎03-06-2019 09:47 AM

This question concerns applying ACL's to interfaces vs. applying ACL's to VLAN's.

Lets use the following example:

Access list 100 permit tcp host 192.168.5.5 host 172.16.1.10 eq ftp

then on the router interface I apply this ACL INBOUND

so I say on the interface

access-group 100 in

This means in towards the router vs.  if I had used "out" meaning "out away from the router".

Now I want to understand this with respect to a VLAN

If I apply an ACL using Access-group on an OUT direction to a VLAN, does that not mean traffic that is leaving the VLAN?

Here is my issue:

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0
ip access-group LoSCADA-vlan103 out
end

IN the following example, I would have thought that I would have to write the ACL so that the source was anything in the 192.168.103 network, and that any thing external would be the destination in the ACL.  But when I examine the associated ACL i see on this device( ACL LoSCADA-vlan103), this seems inverted.

For some reason, I am not understanding the direction of traffic flow

Thanks

Kevin

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎02-19-2010 08:59 AM 

interface Vlan103
 description Disaster Recovery SCADA Network A
 ip address 192.168.103.1 255.255.255.0

Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

View solution in original post

Go to solution
lamav
Level 8
Level 8
In response to Edison Ortiz

‎02-19-2010 09:18 AM

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

View solution in original post

4 Replies 4

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎02-19-2010 08:59 AM 

interface Vlan103
 description Disaster Recovery SCADA Network A
 ip address 192.168.103.1 255.255.255.0

Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

Go to solution
lamav
Level 8
Level 8
In response to Edison Ortiz

‎02-19-2010 09:18 AM

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to lamav

‎02-19-2010 10:10 AM

Isn't that what I said?

0 Helpful

Go to solution
kam aujla
Level 1
Level 1
In response to Edison Ortiz

‎07-28-2022 08:30 AM

Exactly what  you said, but the words "TO" "From" really hit it home for me. Thanks to both of you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card