Re: ACL not applying outbound

j-shearer · ‎11-07-2006

I have a 3550-12g running IOS v12.2(25)SEE2. I have created an ACL to apply to a VLAN interface. Here is the ACL:

ip access-list extended Block_Access

deny ip 10.31.170.0 0.0.0.255

10.3.140.0 0.0.0.255

deny ip 10.31.170.0 0.0.0.255 10.5.140.0 0.0.0.255

deny ip 10.31.170.0 0.0.0.255 10.21.140.0 0.0.0.255

deny ip 10.31.170.0 0.0.0.255 10.22.140.0 0.0.0.255

deny ip 10.31.170.0 0.0.0.255 10.31.140.0 0.0.0.255

permit ip any any

Whenever I apply the above ACL using the "ip access-group <name> out" to the VLAN internface, the ACL doesn't work. If I apply the same command using "in" instead of "out" it does apply the ACL. The VLAN interface I am trying to apply this ACL to is configured as follows:

interface Vlan170

ip address 10.31.170.5 255.255.255.0

ip helper-address 10.31.110.10

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

I am wondering if I do not have something configured properly or am I missing anything.

Any input would be greatly appreciated. Thx.

Joe

Adam Frederick · ‎11-07-2006

Just a suggestion, but a vlan map may be a better solution if possible

Richard Burts · ‎11-07-2006

Joe

We need to understand how you decide that the access list is not working. The access list is denying traffic sourced from 10.31.170.0. If you are testing the access list by testing from the router (doing ping or traceroute or something similar) then the explanation is that an outbound access list will NOT filter traffic generated from the router itself. If you are testing with traffic generated from some end station connected to the router then we need to understand more about the topology of your network.

HTH

Rick

HTH

Rick

j-shearer · ‎11-08-2006

In a nutshell, I am trying to deny outbound traffic from the 10.31.170.0/24 network to the subnets list in the ACL, then permit traffic to any other destination. Based on the ACL, if an IP packet originates from 10.31.170.0/24 and is destined for 10.5.140.0/24 then it needs to be denied. The only VLAN interface that is configured on the same switch as the VLAN170 interface is the VLAN140 interface (10.31.140.5 for the 10.31.140.0/24 subnet). All other subnets listed in the ACL have their VLAN interfaces configured on different switches. EIGRP is configured for routing to these VLANs. I can ping back-and-forth so I know that basic IP routing and connectivity is working properly.

I am just confused as to why I can apply an ACL "inbound" on the VLAN170 interface and it works, but it does not work if I apply it "outbound".

Thx again for your assistance.

Joe

network.king · ‎11-08-2006

Hi,

When you apply the acl on inbound , it actually filters the traffic hitting the Vlan from inside to outside , so your source range falls and its denied .

But when you apply it on out , its the traffic from outiside to inside of the Vlan , so here the source changes and the source would be outside ip and destination would be inside ip

So you need to reverse the access-list , if you need to apply on out .A common extended access-list with source and destination ip defined would not work the same way for inbound and outbound.

Hope it helps

regards

vanesh k

kuldeep_dubey · ‎05-06-2019

"I am just confused as to why I can apply an ACL "inbound" on the VLAN170 interface and it works, but it does not work if I apply it "outbound". "

As Richard stated earlier, an Outbound ACL cannot filter the data originated by the device itself and that's exactly what you are trying to do.