Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
3
Helpful
5
Replies

ACL help please

b.withrow
Level 1
Level 1

‎05-28-2003 07:14 AM - edited ‎02-20-2020 09:21 PM

Somebody please help me understand the concept:

I have VLAN500 on a 6509, with a network of 172.17.x.x and I want to apply an extended ACL to allow any host on that VLAN to telnet to a host on VLAN 600 (network 17.16.x.x). So I created the following ACL

Extended IP access list VLAN500

permit tcp any host 172.16.8.53 eq telnet

and added this line to the VLAN500 interface:

ip access-group VLAN500 out

And it didn't work, until I changed the interface statement to:

ip access-group VLAN500 in

And it really doesn't make sense to me that I would have to apply it in. Why wouldn't I apply it out since any host on the local VLAN can telnet out to a host on another VLAN? If anyone can explain this to me, it would be appreciated. Thanks in adavance.

Labels:
0 Helpful
5 Replies 5

ywadhavk
Cisco Employee
Cisco Employee

‎05-28-2003 08:20 AM

because the traffic in INBOUND from the VLAN 500 and not going towards the VLAN 500

Hope this clarifies.

Thanks,

yatin

0 Helpful

ywadhavk
Cisco Employee
Cisco Employee
In response to ywadhavk

‎05-28-2003 08:23 AM

Another way to understand the IN and OUT directions on an interface is to imagine yourself "sitting" in the port (window) and facing out of the window.

So the telnet traffic that is coming from the vlan500 would be IN and not OUT, hence the later access-group command worked.

yatin

b.withrow
Level 1
Level 1
In response to ywadhavk

‎05-28-2003 08:26 AM

Thanks for the reply. I am begining to understand the concept. One more thing. What is the best way to apply this specific filter? I could write one way and apply OUT or write it another and apply it IN. But I'm not sure which would be best.

0 Helpful

ywadhavk
Cisco Employee
Cisco Employee
In response to b.withrow

‎05-28-2003 08:37 AM

The way you are applying is good. Applying to the vlan500 interface will preserve router resources because the action is happening at the entry point itself. Had it been applied to the VLAN 600 in the OUT direction, all these packets would traverse the router all the way upto the VLAN600 interface only to be dropped if those are not from VLAN500.

The below url will help further.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#extended

thanks,

yatin

0 Helpful

b.withrow
Level 1
Level 1
In response to ywadhavk

‎05-28-2003 11:14 AM

I should clarify. The dilema I am having is, I can write the ACL this way:

Extended IP access list VLAN730

permit tcp any host 172.16.8.53 eq telnet

interface Vlan730

ip access-group VLAN730 in

and it works fine. Or I can write it reversed and apply it to the same interface but with OUT, and it also works:

Extended IP access list VLAN730

permit tcp host 172.16.8.53 eq telnet any

interface Vlan730

ip access-group VLAN730 OUT

So, I'm wondering which of those two ways would be more efficient. Thanks again for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents