topic Applying ACL for a VLAN in Switching

Applying ACL for a VLAN

lamav — Wed, 06 Mar 2019 05:52:33 GMT

I need someone to straighten me out on this...I always get confused.

I have an Internet L3 switch (3560) that has an L3 vlan interface for devices that face the internal network (DMZ).

I want to deny all traffic from the corporate network exceot for 3 subnets that the network engineers are on.

OK, no biggie:

ip access-list standard DENY_UNAUTH_USERS

remark deny all corporate traffic except for the 4, 5 and 6 subnets

permit 10.100.4.0

permit 10.100.5.0

permit 10.100.6.0

deny any log

Now, the kicker, I want to prevent traffic from the internal network from entering the 3560. In which direction should I apply the ACL, in or out?

Should it be

interface vlan 60

ip access-group DENY_UNAUTH_USERS in (?)

interface vlan 60

ip access-group DENY_UNAUTH_USERS out (?)

Its tricky with vlans, its not like a physical interface.

I believe that it should be in the out direction.

Anyone?

Thanks

Re: Applying ACL for a VLAN

glen.grant — Thu, 20 Mar 2008 13:27:09 GMT

If vlan 60 is the connecting link then it would be in the "in" direction .

Re: Applying ACL for a VLAN

lamav — Thu, 20 Mar 2008 13:50:13 GMT

vlan 60 is the interface that faces the internal network. Its a DMZ interface...makes sense?

I want to block users from the internal network who sit "behind" that vlan 60 interface.

So, it would still be in the "in" direction?

[EDIT] The users I wantr o block do not sit on vlan 60. that sa DMZ vlan that connects the internal network to the internet router. The users are on the corporate vlan (21,22,etc)

Re: Applying ACL for a VLAN

Jon Marshall — Sun, 23 Mar 2008 09:13:21 GMT

Victor

Think of like this.

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

Oh yes, and no problem with the typo as i said in other post, we all do it 🙂

Jon

Re: Applying ACL for a VLAN

lamav — Sun, 23 Mar 2008 17:09:32 GMT

"Oh yes, and no problem with the typo as i said in other post, we all do it :-)"

You're a regular riot, Alice!! Think you're slick, huh? 😉

Anyway, as for the vlan ACL (take a look at that drawing again), let's say the traffic originates on the core, gets forwarded "up" to the ASA, and then to the Internet router, the ACL that must be applied to the Internet router's vlan 60 interface inbound? That makes vlan 60 a sort of connecting vlan, then, right?

Re: Applying ACL for a VLAN

Jon Marshall — Sun, 23 Mar 2008 22:40:01 GMT

Sorry Victor, couldn't resist 🙂

Correct in what you say. Vlan 60 is there purely for connecting the ASA devices to the Internet routers. And yes the acl should be applied inbound on the vlan 60 interface.

Once again appreciate the ratings and would have answered the question anyway you know.

Jon

Re: Applying ACL for a VLAN

lamav — Sun, 23 Mar 2008 23:40:13 GMT

Jon:

Once again, you deserve the great ratings because your answers are full of excellent information and you stick with the person until the problem is solved. Thats a pretty awesome thing to do when you dont even know the person at all.

And yes, I know you would have answered my question no matter what....you werent the reason for....you know.

Victor