cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
1
Helpful
8
Replies

ACL in vs out

Andy Emerine
Level 1
Level 1

I have the ACL and VLAN interface configured below. It locks down VLAN90 devices well. The devices can only access each other and the internet. The interface is configured for "out" traffic. Would it be more secure to use "in" instead so that I'm blocking closest to the source? If so how would the ACL be re-written?

Extended IP access list IoT_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
21 permit udp any eq domain any
22 permit tcp any any eq domain
23 permit tcp any eq domain any
30 deny ip 10.55.0.0 0.0.3.255 any log (39436 matches)
40 deny ip 10.55.4.0 0.0.0.255 any
50 deny ip 10.55.5.0 0.0.0.255 any
60 deny ip 10.55.6.0 0.0.0.255 any
70 deny ip 10.55.7.0 0.0.0.255 any
80 deny ip 10.55.8.0 0.0.3.255 any
90 deny ip 10.55.12.0 0.0.3.255 any
100 deny ip 10.55.16.0 0.0.3.255 any
110 permit ip any any

interface Vlan90
description IoT
ip address 10.55.20.1 255.255.255.0
ip helper-address 10.55.1.60
ip access-group IoT_ACL out
end

 

1 Accepted Solution

Accepted Solutions

Usually you just need to swap source and destination parameters within an extended ACL. 

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

In–when you are running traffic coming INTO the interface through an ACL.
Out–when you are running traffic leaving the interface through an ACL.

So always apply in your case IN is best option

example :

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#sourcedefine

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

In your output the ACL applied outbound on a VLAN interface filters traffic going INTO that VLAN. How you configure the ACL depends on your requirements.

-David

If I switch ip access-group IoT_ACL from "out" to "in", a device on the IoT VLAN can then access any device/port across vlans. How would I configure ACL so that it can be applied inbound?

You already have it applied inbound on the ACL. When you apply an ACL to a VLAN interface it kinda has the reverse logic of an ACL applied on a regular interface. With your configuration you have it configured "OUT" which means its being applied to all devices going INTO that VLAN.

If you want to apply it to traffic coming FROM that VLAN then you need to configure the ACL for the INBOUND direction.

Usually you just need to swap source and destination parameters within an extended ACL. 

Like this?

30 deny any ip 10.55.0.0 0.0.3.255
instead of 
30 deny ip 10.55.0.0 0.0.3.255 any

Yup.

I see what you mean. I changed the statement to the following and that worked.

30 deny ip 10.55.12.0 0.0.3.255 10.55.0.0 0.0.3.255

Review Cisco Networking for a $25 gift card