Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
2
Replies

ACL affects on VLAN interface traffic

Go to solution
_Dustin_
Level 1
Level 1

‎01-06-2011 11:32 AM - edited ‎03-06-2019 02:51 PM

First off, I'm new to the forums and couldn't find pertinent information around this subject.

Now the scenario and question:

We setup a VLAN dedicated for a specific application and devices.  Currently everything is working well because there is no ACL on the vlan interface.  I was given an inboudn ACL to apply to the interface to severely limit the traffic that segment is allowed to talk to.  Assuming the VLAN Interface IP address is 10.10.10.10 and the VLAN interface is the default gateway of the segment, here is the first entry in the ACL:

permit ip host 10.10.10.10 any

This entry seems strange to me, and I'm thinking I don't need it for two reasons.

1. Any inbound traffic to that layer 3 interface will never be sourced from the interface's IP address, unless something malicious is going on.

2. Even if the entry is "permit ip any host 10.10.10.10", wouldn't that be simply layer 2 traffic and not get an ACL applied to it.

I'm not sure if my two theories above are correct though, I couldn't really find the information I was looking for in the CCNA books.  I guess my confusion is coming from not knowing the order of packet processing, ACL matching, routing, etc.

Does anyone have some input about the ACL entry in question, whether or not it is needed, or more information on the subject?

Thank you,

Dustin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-09-2011 05:51 PM

Dustin

First off I think that whoever wrote that ACL was confused.

I agree with your point 1. There should never be anything coming into that interface with the interface address as the source address.

I do not agree with your point 2. If a PC on that VLAN sends a packet with destination address of the router interface (perhaps the user is attempting to ping to verify that the default gateway is reachable and works - or perhaps the router sends a packet to the PC and the PC is sending a response) then this will be a layer 3 packet coming into the interface with the interface address as the destination address and it will be subject to any access list that is applied inbound.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-09-2011 05:51 PM

Dustin

First off I think that whoever wrote that ACL was confused.

I agree with your point 1. There should never be anything coming into that interface with the interface address as the source address.

I do not agree with your point 2. If a PC on that VLAN sends a packet with destination address of the router interface (perhaps the user is attempting to ping to verify that the default gateway is reachable and works - or perhaps the router sends a packet to the PC and the PC is sending a response) then this will be a layer 3 packet coming into the interface with the interface address as the destination address and it will be subject to any access list that is applied inbound.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
_Dustin_
Level 1
Level 1
In response to Richard Burts

‎01-10-2011 05:28 AM

So, it is just as I figured.  That line should just be written with the VLAN interface address as the destination address in stead of the source address.  I'll make sure to update my ACL then.


Thank you,

Dustin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card