Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
1
Helpful
8
Replies

ACL in vs out

Go to solution
Andy Emerine
Level 1
Level 1

‎05-01-2024 07:52 AM

I have the ACL and VLAN interface configured below. It locks down VLAN90 devices well. The devices can only access each other and the internet. The interface is configured for "out" traffic. Would it be more secure to use "in" instead so that I'm blocking closest to the source? If so how would the ACL be re-written?

Extended IP access list IoT_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
21 permit udp any eq domain any
22 permit tcp any any eq domain
23 permit tcp any eq domain any
30 deny ip 10.55.0.0 0.0.3.255 any log (39436 matches)
40 deny ip 10.55.4.0 0.0.0.255 any
50 deny ip 10.55.5.0 0.0.0.255 any
60 deny ip 10.55.6.0 0.0.0.255 any
70 deny ip 10.55.7.0 0.0.0.255 any
80 deny ip 10.55.8.0 0.0.3.255 any
90 deny ip 10.55.12.0 0.0.3.255 any
100 deny ip 10.55.16.0 0.0.3.255 any
110 permit ip any any

interface Vlan90
description IoT
ip address 10.55.20.1 255.255.255.0
ip helper-address 10.55.1.60
ip access-group IoT_ACL out
end

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Andy Emerine

‎05-01-2024 08:51 AM

Usually you just need to swap source and destination parameters within an extended ACL. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-01-2024 08:00 AM

In–when you are running traffic coming INTO the interface through an ACL.
Out–when you are running traffic leaving the interface through an ACL.

So always apply in your case IN is best option

example :

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#sourcedefine

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
David Ruess
VIP
VIP

‎05-01-2024 08:29 AM

In your output the ACL applied outbound on a VLAN interface filters traffic going INTO that VLAN. How you configure the ACL depends on your requirements.

-David

0 Helpful

Go to solution
Andy Emerine
Level 1
Level 1
In response to David Ruess

‎05-01-2024 08:35 AM

If I switch ip access-group IoT_ACL from "out" to "in", a device on the IoT VLAN can then access any device/port across vlans. How would I configure ACL so that it can be applied inbound?

0 Helpful

Go to solution
David Ruess
VIP
VIP
In response to Andy Emerine

‎05-01-2024 08:51 AM

You already have it applied inbound on the ACL. When you apply an ACL to a VLAN interface it kinda has the reverse logic of an ACL applied on a regular interface. With your configuration you have it configured "OUT" which means its being applied to all devices going INTO that VLAN.

If you want to apply it to traffic coming FROM that VLAN then you need to configure the ACL for the INBOUND direction.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Andy Emerine

‎05-01-2024 08:51 AM

Usually you just need to swap source and destination parameters within an extended ACL. 

0 Helpful

Go to solution
Andy Emerine
Level 1
Level 1
In response to Joseph W. Doherty

‎05-01-2024 08:57 AM

Like this?

30 deny any ip 10.55.0.0 0.0.3.255
instead of 
30 deny ip 10.55.0.0 0.0.3.255 any

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Andy Emerine

‎05-01-2024 11:39 AM

Yup.

0 Helpful

Go to solution
Andy Emerine
Level 1
Level 1
In response to Joseph W. Doherty

‎05-01-2024 11:23 AM

I see what you mean. I changed the statement to the following and that worked.

30 deny ip 10.55.12.0 0.0.3.255 10.55.0.0 0.0.3.255

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card