Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Inbound ACL on physical vs sub interface

Hello,

I have a secondary connection to a different ISP that i'm trying to apply an acl on in the inbound direction on a sub interface, but as soon as I apply the acl all traffic originating from inside workstations and going out to the internet is dead..

I have the same style of acl applied to our other isp connection in the inbound direction as well and there are no issuse.  Traffic from inside devices can get out to the internet without problems.

The only difference is the 1st ISP connection is on a physical interface on the router and not a sub interface.

Example of the ACL:

permit ip any host x.x.x.x eq www

permit ip any host x.x.x.x eq smtp

deny ip any any log

So applying this inbound allows anyone on the internet to access the web server and the mail server, but deny's anything else. 

This makes no sense to me why when I apply the acl inbound on the sub interface that all inside to outside traffic is blocked.  Any thoughts?

Dan.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Inbound ACL on physical vs sub interface

There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

ACL is also stateless, hence if you apply ACL on a router (IOS), then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

To allow return traffic of your outbound traffic, please configure CBAC (ip inspect).

Here is a sample configuration:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

2 REPLIES
Cisco Employee

Re: Inbound ACL on physical vs sub interface

There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

ACL is also stateless, hence if you apply ACL on a router (IOS), then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

To allow return traffic of your outbound traffic, please configure CBAC (ip inspect).

Here is a sample configuration:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

Hall of Fame Super Gold
3843
Views
0
Helpful
2
Replies
CreatePlease to create content