Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pls explain SVI ACL source and destination direction

Hi I have a home network up and running well that uses a Cisco 1801.

I am just trying to increase my understanding of some it's config and I'm confused by ACLs on a VLAN interface.

Ok so I 'be the router' and imagine packets flowing to me and from me

I have two VLANs configured

VLAN 10 - 10.10.10.0 / 25

VLAN 20 - 10.10.10.128 /27

So for example, one of my Virtual Machines has an address 10.10.10.6 and is on VLAN 10.

Another has an address of 10.10.10.134 and is on VLAN 20.

I want to allow 10.10.10.6 access to 10.10.10.134, but prevent other VLAN 10 devices access.

So I create an ACL and apply it inbound of interface Vlan 20.

The config below works as desired, but I don't understand why.

If the packet filtering is for the inbound direction of the interface, then my logic would state that the source address of the packet to be filtered would be 10.10.10.6, not 10.10.10.134.

Can someone help me understand. Thanks.

interface Vlan20

ip access-group ACL-INBOUND in

!

ip access-list extended ACL-INBOUND

permit ip host 10.10.10.134 host 10.10.10.6 log-input

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

A vlan SVI is no different than a physical interface in regards to an acl ie.

an acl applied inbound to an SVI controls traffic from devices in that vlan

an acl applied outbound to an SVI controls traffic to devices in that vlan

I want to allow 10.10.10.6 access to 10.10.10.134, but prevent other VLAN 10 devices access.

access-list 101 permit ip host 10.10.10.6 host 10.10.10.134

access-list 101 deny ip 10.10.10.0 0.0.0.127 host 10.10.10.134

access-list 101 permit ip any any

int vlan 10

ip access-group 101 in

the above acl allows 10.10.10.6 to talk to 10.10.10.134 but blocks all the other 10.10.10.x/25 clients from talking to 10.10.10.134. It then allows 10.10.10.x/25 clients to talk to everything else. Note you may not want the "permit ip any any" at the end but you would probably want other permit lines so i included a general permit all.

Hopefully you can see it is the same concept as applying an acl to a physical interface in terms of inbound and outbound. Probably where the confusion came from was that you applied the acl to vlan 20 so it actually blocked the return traffic and not the initial packets coming from vlan 10.

It's generally a better approach to filter the packets at their source.

Jon

28 REPLIES

Pls explain SVI ACL source and destination direction

You're correct in your thinking. The reason that the above acl works is because the return traffic is allowed and everything else on vlan 20 is denied. Think of it this way, if you had an acl inbound on vlan 20, anything sourced from vlan 20 (any host on that vlan) trying to get out has to go to the vlan 20 svi on the INBOUND side. If you had the same vlan 20 source address, but you had the acl on vlan 10, you could apply the acl in the OUTBOUND direction. So, these two acls do the same thing:

int vlan 20

ip access-group ACL-INBOUND in

access-list ACL-INBOUND

permit ip host 10.10.10.134 host 10.10.10.6 log-input

OR

int vlan 10

ip access-group ACL-INBOUND out

access-list ACL-INBOUND

permit ip host 10.10.10.134 host 10.10.10.6 log-input

The difference is the svi that you're applying it to and the direction that it's in.

Another example would be for vlan 20:

int vlan 20

ip access-group ACL-INBOUND in

access-list ACL-INBOUND

permit ip host 10.10.10.134 host 10.10.10.6 log-input

Or you could change your acl and apply outbound to:

access-list ACL-OUTBOUND

permit ip host 10.10.10.6 host 10.10.10.134 log-input

Then on vlan 20:

int vlan 20

ip access-group ACL-OUTBOUND

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Pls explain SVI ACL source and destination direction

I'm still confused.

Is this anything to do with why an ACL that blocks ip addresses of devices on the same VLAN does not work, but yet the devices have to be explicitly permitted access to the gateway address of that VLAN (the router) in order for them to reach other subnets?

For example...

With a 10.10.10.0 / 25 subnet

ip access-list ACL-IN

deny ip host 10.10.10.4 host 10.10.10.5

Does nothing for these devices connected via a L2 switch to the router because the devices at those addresses communicate without the use of the router as they are in the same broadcast domain.

but the rules change if I want any device in this subnet to be able to use the router at 10.10.10.1 to access another subnet.

10.10.10.1 is the same broadcast domain but yet I have to change my access list like below

ip access-list ACL-IN

deny ip host 10.10.10.4 host 10.10.10.5

permit ip host 10.10.10.1 10.10.10.0 0.0.0.127

Where is a good source for simple explanations of ACLs?  Not so much the syntax, but more an overview on how the processing works on the flow of traffic to and from the router.

I understand that an ACL tied inbound to a physical port say Fa1....The source address in the ACL would control the traffic coming into the router via that port and the destination address would control traffic leaving via that port.

Why are the rules changed for VLANs?

I need an analogy

I need an explanation that begins like....."Think of a VLAN / SVI as an....."

Thanks anyway

Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

A vlan SVI is no different than a physical interface in regards to an acl ie.

an acl applied inbound to an SVI controls traffic from devices in that vlan

an acl applied outbound to an SVI controls traffic to devices in that vlan

I want to allow 10.10.10.6 access to 10.10.10.134, but prevent other VLAN 10 devices access.

access-list 101 permit ip host 10.10.10.6 host 10.10.10.134

access-list 101 deny ip 10.10.10.0 0.0.0.127 host 10.10.10.134

access-list 101 permit ip any any

int vlan 10

ip access-group 101 in

the above acl allows 10.10.10.6 to talk to 10.10.10.134 but blocks all the other 10.10.10.x/25 clients from talking to 10.10.10.134. It then allows 10.10.10.x/25 clients to talk to everything else. Note you may not want the "permit ip any any" at the end but you would probably want other permit lines so i included a general permit all.

Hopefully you can see it is the same concept as applying an acl to a physical interface in terms of inbound and outbound. Probably where the confusion came from was that you applied the acl to vlan 20 so it actually blocked the return traffic and not the initial packets coming from vlan 10.

It's generally a better approach to filter the packets at their source.

Jon

Cisco Employee

Re: Pls explain SVI ACL source and destination direction

Dear friends,

Perhaps this quickly-boiled picture removes some doubts about the SVIs and the in/out direction regarding the SVIs:

Imagine a multilayer switch as having a "router" inside. This router is connected to defined VLANs using its interface Vlan interfaces to provide inter-VLAN routing. All in and out descriptions refer to interface Vlan.

Best regards,

Peter

New Member

Access-lists has been

Access-lists has been configured as per below matrix table and show command.  But a PC in D01 cannot reach a PC in DMZ though it can reach dmz gateway

 

DESTINATION

D01

D02

D03

DMZ

 

 

 

 

SOURCE

D01

x

x

 

 

 

 

D02

x

x

 

 

 

 

D03

x

x

 

 

 

 

DMZ

x

x

x

 

 

 

 

 

CS-SW#show access-lists

Extended IP access list 100

10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (28 match(es))

Extended IP access list 101

10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 102

10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 103

20 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

 

Note: All access lists has been applied in inbound direction

interface Vlan1

ip access-group 100 in

!

interface Vlan10

 ip access-group 101 in

!

interface Vlan20

 ip access-group 102 in

 

Kindly advise

New Member

Access-lists has been

Access-lists has been configured as per below matrix table and show command.  But a PC in D01 cannot reach a PC in DMZ though it can reach dmz gateway

 

DESTINATION

D01

D02

D03

DMZ

 

 

 

 

SOURCE

D01

x

x

 

 

 

 

D02

x

x

 

 

 

 

D03

x

x

 

 

 

 

DMZ

x

x

x

 

 

 

 

 

CS-SW#show access-lists

Extended IP access list 100

10 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 (28 match(es))

Extended IP access list 101

10 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

20 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 102

10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

Extended IP access list 103

20 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

 

Note: All access lists has been applied in inbound direction

interface Vlan1    //D01

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

!

interface Vlan10  //D02

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan20  //DMZ

ip address 192.168.20.2 255.255.255.0

ip access-group 102 in

Kindly advise as am bit confused

New Member

Thanks Peter. This thread and

Thanks Peter. This thread and comment might be 4 years old but his diagram broke it down Barney style for me and was extremely effective in helping me understand how the ACLs for SVIs work. 

Nick

Cisco Employee

Nick,

Nick,

Thank you very much for letting me know. I really appreciate it - and I am glad the diagram helped!

Best regards,
Peter

New Member

Pls explain SVI ACL source and destination direction

Thank you.

It becomes a lot more clear when you apply the ACL to the source of the traffic that is to be filtered.

Another thing with ACLs that I was not clear about until your example....

When a deny statement is encountered that filters a particular ip address entering an interface....

deny ip host 10.10.10.6 10.10.10.0 0.0.0.127

permit ip any any

Processing for the 10.10.10.6 address is stopped, and any further ACL statement that implicitly allows that address will not include that address in it's processing because it has been previously denied....Is this correct?

Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

deny ip host 10.10.10.6 10.10.10.0 0.0.0.127

permit ip any any

Processing for the 10.10.10.6 address is stopped, and any further ACL statement that implicitly allows that address will not include that address in it's processing because it has been previously denied....Is this correct?

It is stopped for the host 10.10.10.6 when the destination IP is from the 10.10.10.x/25 network. So, yes if the first line matches then the acl processing stops ie. it does not get to the "permit ip any any" line.

However if 10.10.10.6 tried to access anything else ie. not a 10.10.10.x/25  address then the first line does not match so it would go to the second line and be allowed.

Jon

New Member

Pls explain SVI ACL source and destination direction

The entire ACL is stopped when a match is made?

So further packets with non matching ip addresses are processed by restarting the ACL list processing from the top?

Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

The entire ACL is stopped when a match is made?

So further packets with non matching ip addresses are processed by restarting the ACL list processing from the top?

Yes, once a match is made that is it, no more entries in the acl are checked. Each packet is checked in isolation against the acl and it is checked starting at the top line and working it's way through until a match is made. If it gets through all the lines and no match is made then the packet is denied because there is an implicit deny at the end of an acl.

This is often why you see acls with specfic permit/deny lines then a "permit ip any any" at the end.

Because you run sequentially through the acl if your acl is large it is best practice to try and place the acl lines that will be matched the most at the top of the acl.

Jon

New Member

Re: Pls explain SVI ACL source and destination direction

Brilliant explanation....Thank you.

Silver

Pls explain SVI ACL source and destination direction

As Jon explained there is really no difference with ACL on SVI or physical port.

What you need to understand though is that if you have 10 clients in the same VLAN on a switch. When these clients communicate the traffic never passes the SVI. The switch simply forwards the frames based on the destination MAC address. If you want to filter traffic within a VLAN you need to use a VLAN ACL (VACL).

The only traffic that goes through the SVI is traffic leaving or arriving to the VLAN. Meaning that the traffic was routed. If a client in say VLAN 10 wants to communicate with a client in VLAN 20 then the VLAN 10 client will ARP for its gateway. Encapsulate the frame with SRC IP = Own IP, DST IP = VLAN 20 client, SRC MAC = Own MAC and DST MAC = GW MAC. This frame will arrive at the SVI and inbound ACL will be checked. The packet is routed and delivered to VLAN 20. Outbound ACL is checked there. Return traffic arrives inbound at SVI for VLAN 20 and inbound ACL is checked. Traffic then returns to SVI for VLAN 10 and outbound ACL is checked there.

You can think of it as two cities with a bridge between them. To go to the other city one must travel over the bridge. The bridge has guards at both sides. The bridge is the SVI. The guards represent the ACL. So there is both inbound and outbound check.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
Purple

Pls explain SVI ACL source and destination direction

Hi Daniel,

If you want to filter traffic within a VLAN you need to use a VLAN ACL (VACL).

Wouldn't a port ACL block traffic between 2 devices in same vlan as well as between devices in different vlan too  ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

Alain

Hope you don't mind me answering.

A port acl could block traffic between devices in the same vlan but they are often limited by the fact that they are only allowed in an inbound direction. So if you had a host connected to that port and you wanted to stop a certain set of IPs from sending any traffic to that host you couldn't do it. In addition it would not be possible, using port acls. to block things like multicast/broadcast traffic within the vlan going to that host.

You could write the acl so that it stopped the host from sending any return packets to those IPs but sometimes that is not enough and you need to stop any packets actually being sent to the host. I suppose you could then argue that you can apply a port acl to each of the IP's ports inbound but that would become a configuration headache if there were a large set of them.

They are generally just not as flexible as either acls applied to the SVI for inter vlan traffic or VACLs within a vlan.

Jon

Purple

Pls explain SVI ACL source and destination direction

Jon,

of course you are welcome to answer.

Yes it is less scalable and not applicable in some situations but I just wanted to stress that it was not technically mandatory to use a VACL but you're right explaining the restrictions I omitted to mention( end of the year now so I'm a little bit tired    )

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Pls explain SVI ACL source and destination direction

That doesn't explain why the SVI's address is subject to the ACL rules when it is an address which is on the same street as traffic that may want to use the bridge to cross to another network.

The traffic isn't leaving or arriving to the VLAN because it is on the same VLAN.

So I don't see why the following is necessary

ip access-list ACL-IN

remark allow all hosts access to gateway

permit ip host 10.10.10.1 10.10.10.0 0.0.0.127

Pls explain SVI ACL source and destination direction

"That doesn't explain why the SVI's address is subject to the ACL rules  when it is an address which is on the same street as traffic that may  want to use the bridge to cross to another network."

As Peter stated above, it's like a router. Think of the SVI as a separate router. You have two of them. If you had two routers and you wanted to block traffic between them, you would use an acl on the one that you want to block traffic from. The SVI is the same concept in that if you want to block intervlan traffic, you would use an acl because all traffic leaving that vlan that needs to be routed, will use the SVI as its default gateway.

With intravlan traffic, traffic that stays within the vlan as in host to server on the same subnet, will not have to go to the SVI to be routed, so that's where VACLs come in as mentioned by Daniel above.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Pls explain SVI ACL source and destination direction

But the SVI address is on the same VLAN as the other devices so conceptually, no traffic is entering or exiting that VLAN when devices want to access the SVI.

Say a ping from a server to the SVI.....In my mind, this traffic virtually is not leaving the VLAN....Physically yes, it has to leave a server NIC and arrive into a switch port, and then from another switch port it travels out to the router.....

I'm not trying to be difficult and appreciate your explanation.

Is it better to think that the traffic is all on the same virtual LAN which is not subject to ACL control (unless using VACLs) but when it comes to accessing the gateway address (the actual router) the router can control traffic that is coming into and leaving it so it does have control over this?

Hall of Fame Super Blue

Re: Pls explain SVI ACL source and destination direction

It is the same as you would see on a physical interface.

If you ping any host within the same vlan then the traffic does not go to the SVI as you say.  If you ping a host in a different vlan then traffic does go via the SVI so the acl is applied (as long as the acl is applied inbound).

If you ping the SVI of the vlan from a host in the same vlan then the acl (in an inbound direction) is applied to the traffic. So the acl applied inbound filters traffic both going through the SVI to a remote destination and to the SVI IP itself.

If the acl was applied outbound then the above statement would not be true and you would be able to ping the SVI from a host in the same vlan.

Jon

New Member

Pls explain SVI ACL source and destination direction

With intravlan traffic, traffic that stays within the vlan as in host to server on the same subnet, will not have to go to the SVI to be routed, so that's where VACLs come in as mentioned by Daniel above.

Are VACLs a Cisco thing or are they IEEE standardised and work on any L3 switch?

Thanks for all the help everyone...I have a much better understanding of ACLs.

Silver

Pls explain SVI ACL source and destination direction

I'm a bit confused by your statement. In your first example you had a deny statement and nothing after that. There is always an implicit deny at the end that blocks everything not permitted. So if you put a deny statement and nothing after that then all traffic will be blocked.

You don't need to permit traffic to the SVI for routing to work. Clients would still be able to communicate as long as that traffic is permitted. If you want to be able to ping the gateway then traffic must be allowed towards the SVI.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

Re: Pls explain SVI ACL source and destination direction

You don't need to permit traffic to the SVI for routing to work.

This is what doesn't make sense for me as I would say the same as you, but this is not how it works for me whenever I apply an ACL to a VLAN.

Devices that are connected to the L2 switch cannot route to other VLANs on the switch until I explicitly permit access to the SVI address of the router for all addresses in that VLAN's subnet, by setting previously mentioned statement on the Cisco router.

Silver

Pls explain SVI ACL source and destination direction

Hmm,

That is not the behavior I see. This is before putting any ACL, 10.0.0.1 and 20.0.0.1 is IP of GW, 20.0.0.3 is a host in VLAN 20.

R1#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#ping 20.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R1#ping 20.0.0.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.3, timeout is 2 seconds:

!!!!!

Everything is reachable. Then I configure ACL on SVI for VLAN 10.

SW1(config)#ip access-list extended DENY_PING_TO_SVI

SW1(config-ext-nacl)#deny ip host 10.0.0.11 host 10.0.0.1

SW1(config-ext-nacl)#permit ip any any

SW1(config-ext-nacl)#int vlan 10

SW1(config-if)#ip access-group DENY_PING_TO_SVI in

R1 can't ping 10.0.0.1 but 20.0.0.1 and 20.0.0.3 still works.

R1#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

R1#ping 20.0.0.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R1#ping 20.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

SW1#sh ip access-lists

Extended IP access list DENY_PING_TO_SVI

    10 deny ip host 10.0.0.11 host 10.0.0.1 (5 matches)

    20 permit ip any any (5 matches)

It's strange that we see different behavior. What platform and OS version are you running?

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
Hall of Fame Super Blue

Pls explain SVI ACL source and destination direction

Can you post the exact config for this ?

Note also indicate whether the acl is applied inbound or outbound.

Jon

New Member

Pls explain SVI ACL source and destination direction

The ACLs are applied inbound....

I will post up the config.

Oh and to answer Daniel again.

The router is an 1801

Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

New Member

Re: Pls explain SVI ACL source and destination direction

Thanks Daniel...I will try to look into this again as my config could be wrong somewhere.

I will isolate whether the problem only occurs with the ESXi virtual machines in my environment which could be a misconfiguration of the virtual network settings or whether a physical device plugged into the switch exhibits the same behaviour.

I will get back to you.

Thanks.

6412
Views
28
Helpful
28
Replies