Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Quick Inbound ACL Question

If I have two VLANs, 1 (native) and 2 (iSCSI) and I want to put inbound ACLs to restrict the traffic that gets into VLAN 2. From the perspective of VLAN 2, does my inbound ACL get evaluated for both traffic originating from VLAN 1 and going into VLAN 2, AND traffic originating in VLAN 2 going back to VLAN1 (as traffic would be going 'in' the virtual interface for VLAN 2 to be routed back to VLAN1).

So if my iSCSI subnet was 10.0.0.0/24 and I wanted to allow www, https, and smtp (192.168.1.1):

ip access-l e iSCSI_NetIn

permit ip 10.0.0.0 255.255.255.0 any

permit icmp any any eq echo

permit tcp any 10.0.0.0 255.255.255.0 eq 80

permit tcp any 10.0.0.0 255.255.255.0 eq 443

permit tcp host 192.168.1.1 eq 25 10.0.0.0 255.255.255.0 established (SMTP)

deny any any log

int vlan 2 -> ip access-g iSCSI_NETIn in

In reality I am going to have ACL's on both VLAN1 and the other VLANs on this switch which is dedicated purpose and I have not found a definitive answer on if incoming traffic is destined for VLAN2 and I have incoming ACLs on both VLAN1 and VLAN2 if it is matched against both ACLs, and that returning traffic will also be matched on the inbound VLAN2 ACL.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Quick Inbound ACL Question

Bill

An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.

An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.

So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.

Note if the packet is not allowed obviously it won't be sent it will be dropped.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Quick Inbound ACL Question

Bill

An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.

An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.

So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.

Note if the packet is not allowed obviously it won't be sent it will be dropped.

Jon

New Member

Re: Quick Inbound ACL Question

Perfect ... thanks Jon ... I think I owe you an e-beer for all the help lately.

109
Views
0
Helpful
2
Replies