Solved: Re: ACL direction when applied to a VLAN on a switch

Kevin Melton · ‎02-19-2010

This question concerns applying ACL's to interfaces vs. applying ACL's to VLAN's.

Lets use the following example:

Access list 100 permit tcp host 192.168.5.5 host 172.16.1.10 eq ftp

then on the router interface I apply this ACL INBOUND

so I say on the interface

access-group 100 in

This means in towards the router vs. if I had used "out" meaning "out away from the router".

Now I want to understand this with respect to a VLAN

If I apply an ACL using Access-group on an OUT direction to a VLAN, does that not mean traffic that is leaving the VLAN?

Here is my issue:

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0
ip access-group LoSCADA-vlan103 out
end

IN the following example, I would have thought that I would have to write the ACL so that the source was anything in the 192.168.103 network, and that any thing external would be the destination in the ACL. But when I examine the associated ACL i see on this device( ACL LoSCADA-vlan103), this seems inverted.

For some reason, I am not understanding the direction of traffic flow

Thanks

Kevin

Edison Ortiz · ‎02-19-2010

interface Vlan103
description Disaster Recovery SCADA Network A
ip address 192.168.103.1 255.255.255.0

Taking Vlan 103 as an example, if you apply an ACL on the 'in' direction, the source must be within the 192.168.103.x subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 192.168.103.x

View solution in original post

lamav · ‎02-19-2010

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.

An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.