ACL IN to VLAN Interface

gene.uhl · ‎02-28-2013

I'll try and simplifyI create an ACL inbound to a VLAN at an edge switch. The vlan is trunked to a distribution L3 switch that handles the routing of all the trunked VLANS. For example, the users can get to an ip subnet prior to access-group application. When I apply the ACL they can not. The ACL lets them get to that subnet by definition, but it does not allow them access to the default gateway.

When I allow IP ANY to default gateway, they can get to that subnet again. So, with an ACL oIN n the VLAN, must I allow access to the default gateway even though their destination IP address is somewhere else in the network? If so WHY? Is it so the ACL will allow the service of the ARP for its default gateway??

Any insight would be great.

Thanks

Gene

paul driver · ‎02-28-2013

Hello,

Can you post your config for the switch and the acl

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gene.uhl · ‎03-01-2013

I have pulled relavant configs from running. Let me know if you need more. I also encolsed a quick and dirty diagram to help. Line 60 is the one I had to add to get it working as this is the access to the default gateway line. Thanks.

Gene

Configs on Switch 3 In Diagram

Vlan990 172.16.253.14 YES manual up up

interface Vlan990

ip address 172.16.253.14 255.255.255.248

ip access-group TRAVELLER_WIFI_VLAN990 in

Extended IP access list TRAVELLER_WIFI_VLAN990

10 permit icmp 172.16.253.8 0.0.0.7 host 172.16.254.250 log (27 matches)

20 permit icmp 172.16.253.8 0.0.0.7 host 172.16.254.249 log

30 permit ip host 172.16.253.9 host 172.16.254.250 log (386674 matches)

40 permit ip host 172.16.253.10 host 172.16.254.250 log (1555143 matches)

60 permit ip 172.16.253.8 0.0.0.7 host 172.16.253.14 log (91256 matches)

1000 deny ip any any (45 matches)

jawad-mukhtar · ‎03-01-2013

5 permit ip 172.16.253.8 0.0.0.7 host 172.16.253.14

*** Do Rate Helpful Posts ***

Jawad

gene.uhl · ‎03-04-2013

Thank you but this does not answer my original question. This statement is already in line 60 of my ACL and I don't see how moving it to line 5 has any bearing.

Thank you

Gene

gene.uhl · ‎03-04-2013

Guiseppe,

Thank you!! I had a hunch that was it. Now one last question on the basics, which I think I may know. A packet not desinted for the local VLAN will have a source IP on the local VLAN, but a desination NOT on the local VLAN. So is the ACL IN blocking packets based on the non-local destination IP address, or is it blocking the ARP of the local machine attempting to get the IP address of the default gateway??

In your explanation, does that mean whenever you add an ACL IN to a VLAN you would need to add access to the default gateway to let packets off the VLAN? And if you do, does that not mean that packets will then be able to get inside your network?

Thanks

Gene

Giuseppe Larosa · ‎03-05-2013

Hello Gene,

the ACL entry line 60 is needed only to have IP reachability to the Vlan default gateway.

>>or is it blocking the ARP of the local machine attempting to get the IP address of the default gateway??

.

The IP ACL does not filter the ARP traffic, as ARP is not IPv4 traffic but a different protocol over ethernet.

>> A packet not desinted for the local VLAN will have a source IP on the local VLAN, but a desination NOT on the local VLAN. So is the ACL IN blocking packets based on the non-local destination IP address

The IP packet is evaluated versus the ACL statements looking for a match if a match is found and it is a permit statement the IP packet is permitted to go through. All ACLs have an implicit deny ip any any at the end. This is something to be taken in account.

>> In your explanation, does that mean whenever you add an ACL IN to a VLAN you would need to add access to the default gateway to let packets off the VLAN?

No, if other ACL lines permit traffic to destinations on remote IP subnets they should be able to go through even if IP connectivity to the local default gateway is not permitted.

>> The ACL lets them get to that subnet by definition, but it does not allow them access to the default gateway.

This is what I have tried to explain in my previous post when speaking of the different behaviour of inboun ACLs vs. outbound ACLs.

Hope to help

Giuseppe

Giuseppe Larosa · ‎03-04-2013

Hello Gene,

the additional line 60 of your ACL applied to switch3 is needed to be able to reach the default gateway 172.16.253.14.

The reason behind this is that when you apply an ACL inbound it has the capability to drop packets with a destination on the local router!

This is different from ACLs applied outbound that cannot block packets originated on the local router.

This asymmetry in ACL behaviour is built in IOS.

I would say that what you see is normal and that you have already fixed the real issue with that additional ACL line (line 60)

Hope to help

Giuseppe

gene.uhl · ‎03-04-2013

Hello,

I posted the info as you requested which took some time to create. A favor or a reply would be appreciated.

Thanks

Gene