Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
4
Replies

ACL on Vlan behaviour.

KGrev
Level 4
Level 4

‎02-09-2022 06:01 AM

So I understand that if you apply an ACL to an interface then packets are inspected as they enter the switch.

What is the behavior if you instead add that acl to a vlan and apply the vlan to an interface?

Is traffic being inspected everywhere that vlan is applied from multiple directions?

 

Thank you

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎02-09-2022 06:20 AM

Hi

 If you appy the ACL to a vlan, then make sense that all interface that belongs to that vlan will be filtered by that ACL.

 

"Is traffic being inspected everywhere that vlan is applied from multiple directions?"

 

The direction depends on you as you specify "IN" or "OUT". 

 

 Everywhere on the same switch. If you extend this vlan through a trunk and send it to a another switch, in that second switch no ACL will be valid unless you also put there.

 

 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-09-2022 10:25 AM

"So I understand that if you apply an ACL to an interface then packets are inspected as they enter the switch."

Incorrect.  The ACL applies to packets entering or leaving the VLAN interface, not a switch port's physical interface (for that VLAN).

"What is the behavior if you instead add that acl to a vlan and apply the vlan to an interface?"

Same as all other traffic on that VLAN.  I.e. packets crossing the SVI are subject the ACL for ingress and/or egress.

"Is traffic being inspected everywhere that vlan is applied from multiple directions?"

Yes and no.  Again, depends on whether traffic is entering or leaving a particular SVI.  (Remember, as multiple switches can host the same VLAN, and if they are multiple L3 switches, you might have multiple SVIs on that VLAN.  As ACLs are applied to particular SVIs, it's possible packets can be treated differently depending on which actual SVI they use.  Further, the SVI doesn't have to be on the switch hosting VLAN ports, and even when SVI is on switch hosting that SVI's VLAN ports, those VLAN ports, on that switch, might not actually be using that switch's SVI for ingress and/or egress.)

NB: if the forgoing is unclear, ask further, as your understanding of SVI and VLANs might not be totally correct.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-09-2022 10:43 AM

 

If you apply an acl to a physical interface in an inbound direction then yes packets are inspected as they enter the switch on that interface. 

 

If you apply an acl to a vlan it depends on exactly what you mean ie. you can apply an acl to filter packets between devices in the same vlan or you can apply an acl to the L3 interface for the vlan and that would filter traffic either entering or leaving the vlan depending on the direction you applied the acl. 

 

Jon

0 Helpful

MHM Cisco World
VIP
VIP

‎02-09-2022 10:56 AM

ACL in router interface is simply L3 ACL which mean that the traffic to this interface is routed via L3 and L3 ACL always apply.
ACL in VLAN interface is not effect L3 ACL but the traffic to the interface with VLAN is check in following:-
1- MAC address of destination is MAC of VLAN SVI <- then L3 ACL will apply here
2- MAC address of destination is any other MAC then the L3 ACL will not apply 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card