Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
0
Helpful
4
Replies

ACL Intervlan Traffic

ChristopheVL
Level 1
Level 1

‎10-06-2017 06:32 AM - edited ‎03-08-2019 12:17 PM

Dear Community,

 

I would like some clarity regarding an ACL i have created on a L3 switch.

 

For example i have a Mobile network which is subnet 10.3.12.0/24

This network only needs to access mailserver and Internet, rest off traffic needs to be blocked

 

Extended IP access list Mobile-Isolation
1 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq telnet
2 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq 22
3 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq 161
4 deny udp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq snmp
10 deny ip 127.0.0.0 0.255.255.255 any
20 deny ip 169.254.0.0 0.0.255.255 any (1586 matches)
30 deny ip 172.16.0.0 0.0.255.255 any
40 deny ip 10.3.12.0 0.0.0.255 172.16.0.0 0.0.255.255
50 deny ip 10.3.12.0 0.0.0.255 10.3.3.0 0.0.0.255
60 deny ip 10.3.12.0 0.0.0.255 10.3.4.0 0.0.0.255
70 deny ip 10.3.12.0 0.0.0.255 10.3.5.0 0.0.0.255
80 deny ip 10.3.12.0 0.0.0.255 10.3.10.0 0.0.0.255
90 deny ip 10.3.12.0 0.0.0.255 10.3.11.0 0.0.0.255
100 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq smtp
110 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 587
120 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 465
130 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 443
140 deny ip 10.3.12.0 0.0.0.255 192.168.0.0 0.0.255.255 (881 matches)
150 permit ip any any (693081 matches)

 

This ACL is applied IN to the SVI 

 

My question:

Does an ACL block in 2 direction? Why, because if i block 10.3.3.0 (line 50) this works. The ping gets timed-out.

Is a OUT direction needed in this case?

 

Kind regards,

Christophe

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎10-06-2017 08:19 AM

Hello christophe,

 

 

"Does an ACL block in 2 direction? Why, because if i block 10.3.3.0 (line 50) this works. The ping gets timed-out."

No. Only Statefull Firewalls blocks traffic in both direction. ACL is stateless and need to be permit both direction.

 

Is a OUT direction needed in this case?

Yes.

 

 

0 Helpful

ChristopheVL
Level 1
Level 1
In response to Flavio Miranda

‎10-17-2017 04:21 AM

Hi Flavio,

But what it's the reason that i can't ping from 10.3.3.0 to 10.3.12.0?
I would presume that the ACL does it's work?

The SVI sees that the return traffic coming from 10.3.3.0 is not permitted so it blocks.

The reason why i'm asking is because i want to block all traffic that is not necessary for reaching the netwerk 10.3.12.0.

Thanks in advance
0 Helpful

Flavio Miranda
VIP
VIP
In response to ChristopheVL

‎10-17-2017 09:08 AM

You can create an ACL (IN/OUT) allowing only traffic you want. Then, all the rest will be denied. There´s an implicit Deny on the bottom of all ACL.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎10-06-2017 08:48 AM

Hi,

When you apply an ACL in "in"direction of an SVI, it only blocks traffic coming to that SVI (ingress traffic). To block outbound traffic, you need ACL in the "out" direction.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card