Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
3
Replies

SG300 L3 ACL Ingress vs Internal?

viningele
Level 3
Level 3

‎12-19-2013 06:32 AM

I'm pretty sure this is the conclusion I came to several weeks ago and then forgot but could someone please confirm that ACLs won't work internal to the switch and by that I mean if I ping using the switches PING function from one VLAN int to another VLAN int.  ACLs only work on ingress and that means from devices/hosts physically external to the switch inbound to the switch and when I ping from diagnostics in the switch from one vlan to another there is no ingress since this is internal to the switch and although one would think that you're pinging out of one vlan and "in" to another that's not consider ingress since that's an internal ping and really only confirms inter vlan routing is working and can't be used to test ACLs since there's no "ingress" taking place and in terms of Cisco ACL ingress means inbound from an external device not inbound to an internal virtual device from another internal virtual device.

Labels:
0 Helpful
3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

‎12-19-2013 09:57 AM

Hi Vini, the ACL is ingress only.

So for the physical connection (port) it would be ingress to that port.

For the logical connection (vlan), it would be ingress that VLAN.

I do believe it still depends on physical location of the connections as the switch will internally ping any VLAN.

But a Device in vlan 1 trying to ping vlan 2 with an acl should fail but in the same situation a device in vlan 2 (with the acl applied) will be able to ping a device in vlan 1. Which would also be consistent behavior vs port based access list.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

viningele
Level 3
Level 3
In response to Tom Watts

‎12-19-2013 10:22 AM

I'm good with the logic of external physical devices but I keep trying to test VLAN ACLs remotely by pinging from the switches PING function, from a VLAN interface to another VLAN interface internal on the switch and it never works and I'm convinced that it's because in this situation there is no INGRESS or EGRESS as it applies to ACLs just internal routes.  For PORT or VLAN based ACLs INGRESS means coming in through a physical hardware port and when I ping using the switches PING function to another VLAN interface internal to the switch I'm clearly not entering or exiting any physical hardware port. 

It makes perfect sense once I think about it but I then forget about it and in a couple of weeks try it all over again. 

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to viningele

‎12-19-2013 11:28 AM

Yes, and from the internal hardware there is no ping source therefore cannot apply.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Customers Also Viewed These Support Documents