04-23-2012 12:31 PM - edited 03-04-2019 04:07 PM
Hi guys,
I would need your advice on a point not clear for me
I make a quick search on this forum, however I didn't find an answer (but I am almost sure this issue was discussed already...)
My concern is what could match an acces-list configured on a swich SVI interface ?
I understand which traffic is matching inbound access-list (traffic destined to this IP), but not which kind of traffic could match an outbound one (no traffic crosses that interface, and the traffic initiated from that interface by the router will not match neither)
Do you have an answer for this ?
Thanks in advance for your help !!
04-23-2012 12:37 PM
I found the answer myself 2 minutes after posting
the transit traffic routed through that interface will match !
sorry for spamming the forum... let's say this is just my contribution for people having the same question
01-19-2015 08:54 AM
Hi g.fabre,
Can you please send me the link where you got the answer to this question? This is also not clear to me and cannot find any thread that could lead me to a concrete answer. Thank you so much in advance!
01-19-2015 09:03 AM
Which bit is not clear ?
Jon
01-19-2015 09:05 AM
Thanks for the reply Jon. This particular statement.
the transit traffic routed through that interface will match
01-19-2015 09:16 AM
Okay lets cover both situations.
An inbound acl applies to traffic coming from a client in that vlan.
An outbound acl applies to traffic going to a client in that vlan.
So
C1 -> int vlan 3 (SW1) -> R1 -> R2 -> S1
C1 is a client and S1 is a web server.
When C1 sends traffic to S1 if there is an acl applied inbound on vlan 3 then it will be checked to see if the traffic is allowed.
If there is an outbound acl on the vlan 3 interface it won't be checked.
When S1 sends traffic back to C1 if there is an outbound acl on the vlan 3 interface it will be checked to see if that traffic is allowed.
If there is an inbound acl applied it won't be checked.
So it is all to do with the direction of the traffic in relation to the L3 vlan interface (SVI).
You will probably see more acls applied inbound because it best practice to filter traffic as close to the source as possible but that is always the case.
Hope that makes sense.
Feel free to ask for further clarification if needed.
Jon
01-19-2015 09:41 AM
Thanks again Jon, I am sorry but it is still not so clear to me. So you said:
When S1 sends traffic back to C1 if there is an outbound acl on the vlan 3 interface it will be checked to see if that traffic is allowed.
If there is an inbound acl applied it won't be checked.
So it is all to do with the direction of the traffic in relation to the L3 vlan interface (SVI).
My question is, why would the reply from S1 be checked against the outbound acl where it should still be checked as inbound to VLAN 3? Is it all about the direction of the traffic reference to the SVI int or is it about whether the host is inside the VLAN or outside the VLAN?
I have this config and I am confuse on how the out ACL is matching the traffic destined to VLAN 8.
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group VLAN8ACL_IN in
ip access-group VLAN8ACL_OUT out
ip access-list extended VLAN8ACL_IN
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip 172.16.8.0 0.0.0.255 host 224.0.0.2
permit ip 172.16.8.0 0.0.0.255 host 224.0.0.10
permit ip 172.16.8.0 0.0.0.255 host 224.0.0.13
permit ip 172.16.8.0 0.0.0.255 host 224.0.0.22
permit ip 172.16.8.0 0.0.0.255 host 224.0.0.252
ip access-list extended VLAN8ACL_OUT
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip host 224.0.0.2 172.16.8.0 0.0.0.255
permit ip host 224.0.0.10 172.16.8.0 0.0.0.255
permit ip host 224.0.0.13 172.16.8.0 0.0.0.255
permit ip host 224.0.0.22 172.16.8.0 0.0.0.255
permit ip host 224.0.0.252 172.16.8.0 0.0.0.255
permit ip host 172.16.2.12 172.16.8.0 0.0.0.255
permit ip host 172.19.2.222 172.16.8.0 0.0.0.255
permit ip host 172.17.2.205 172.16.8.0 0.0.0.255
permit ip host 172.18.2.25 172.16.8.0 0.0.0.255
permit ip host 172.18.2.125 172.16.8.0 0.0.0.255
permit ip host 172.18.2.126 172.16.8.0 0.0.0.255
permit ip host 172.18.2.127 172.16.8.0 0.0.0.255
permit ip host 172.19.2.30 172.16.8.0 0.0.0.255
01-19-2015 09:57 AM
My question is, why would the reply from S1 be checked against the outbound acl where it should still be checked as inbound to VLAN 3?
It is not inbound to vlan 3.
You need to think about it in terms of the SVI (vlan interface) and not the actual vlan.
So inbound means traffic coming to the SVI ie. traffic from clients in that vlan.
Outbound means traffic going from the SVI ie. traffic going to clients in that vlan.
In your configuration the acl applied outbound on vlan 8 will have destination IPs in the vlan 8 IP subnet ie. 172.16.8.0/24 because it is filtering traffic that is going to devices in vlan 8.
The inbound acl will have source IPs from the vlan 8 IP subnet because it is filtering packets coming from devices in vlan 8 and going somewhere else.
As a side note apart from your DHCP entries in your inbound acl the other lines are for specific multicast addresses and those particular addresses are not L3 routed anyway so I'm not sure what they are doing there unless you are running dual switches with HSRP etc but your SVI configuration doesn't show that.
Again if it's not clear please come back with your queries.
Jon
01-19-2015 10:11 AM
Thanks again Jon, I think I just need to digest what you said. I think I am comparing the SVI interface to a physical interface of a router. If you know any links from Cisco site, appreciate if you can share it. I appreciate all your help, thank you so much!
01-19-2015 10:23 AM
Don't want to confuse you but an SVI is pretty much the same when it comes to acls.
Have a look at this thread and in particular Peter's diagram. A visual representation may help -
Jon
01-19-2015 12:15 PM
Hi Jon
I got it now, I am now wondering why I confuse myself with it hehe...thank you so much again for your help!
04-23-2012 12:40 PM
The logical operation of access list on SVI is quite similar to the logical operation of the access list on a physical interface. If you assign an access list as outbound on an SVI then it will examine traffic that has come through the switch and is being sent out onto the VLAN/subnet of the SVI.
So if you had this as an example
interface vlan 3
ip address 10.10.10.1 255.255.255.0
ip access-group 101 out
then access list 101 will examine traffic coming through the switch and being forwarded out onto VLAN 3 and subnet 10.10.10.0.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide