Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6009
Views
0
Helpful
2
Replies

Inbound ACL on physical vs sub interface

Go to solution
dan.letkeman
Level 4
Level 4

‎10-17-2010 04:19 PM - edited ‎03-04-2019 10:08 AM

Hello,

I have a secondary connection to a different ISP that i'm trying to apply an acl on in the inbound direction on a sub interface, but as soon as I apply the acl all traffic originating from inside workstations and going out to the internet is dead..

I have the same style of acl applied to our other isp connection in the inbound direction as well and there are no issuse.  Traffic from inside devices can get out to the internet without problems.

The only difference is the 1st ISP connection is on a physical interface on the router and not a sub interface.

Example of the ACL:

permit ip any host x.x.x.x eq www

permit ip any host x.x.x.x eq smtp

deny ip any any log

So applying this inbound allows anyone on the internet to access the web server and the mail server, but deny's anything else. 

This makes no sense to me why when I apply the acl inbound on the sub interface that all inside to outside traffic is blocked.  Any thoughts?

Dan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-17-2010 04:26 PM

There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

ACL is also stateless, hence if you apply ACL on a router (IOS), then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

To allow return traffic of your outbound traffic, please configure CBAC (ip inspect).

Here is a sample configuration:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-17-2010 04:26 PM

There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

ACL is also stateless, hence if you apply ACL on a router (IOS), then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

To allow return traffic of your outbound traffic, please configure CBAC (ip inspect).

Here is a sample configuration:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card