ACL Issue in 3560 Switch.

Mohammed Ashraf Ali · ‎03-29-2011

Hi All,

i have a 3560 cisco L3 switch, i have enabled a extended access list on one the vlan(Vlan 10), to restrict limited other vlan access. and the acl has been defined in , in direction.

Now the issue is what ever the connection that is innitiating from other vlans is not able to reach the machines inside this vlan(vlan 10). Do i need to permit the connection innitiated from other vlans in reverse.

pls advice ......

Ashraf

Peter Paluch · ‎03-29-2011

Hi Ashraf,

The interface VLAN should be considered as an interface of the internal routing engine to the particular VLAN. The in direction is therefore the traffic that comes into the interface and possibly leaves the VLAN towards some other network. Conversely, the out direction is the traffic that leaves the interface and flows into the VLAN. Kind of reversed but logical if you consider the interface VLAN just like any other interface.

Now, your problems seem to be indeed caused by an inappropriate ACL direction. It should most probably be placed in the out direction, as you are limiting the flows coming from other VLANs and exiting this particular interface.

Best regards,

Peter

Mohammed Ashraf Ali · ‎03-29-2011

Thanks peter

But the thing is i have enabled the acl in , in direction, thats for sure.The subnet defined for the vlan 10 is 10.10.10.0/24 based on this source i have written the acl,

IP access list extended admin-acl

     9 permit icmp any any (10 matches)
    10 permit ip 10.10.10.0 0.0.0.255 host 192.168.11.6
    11 permit ip 10.10.10.0 0.0.0.255 host 192.168.11.8
    20 permit ip 10.10.10.0 0.0.0.255 host 192.168.12.26
    30 permit ip 10.10.10.0 0.0.0.255 host 192.168.12.124

40 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255

1. But when i am trying to take RDP from one of the other vlan (vlan 30) with source ip 192.168.12.100 to 10.10.10.14(vlan 10), its not connecting.

even though this connection is not generated from inside of the vlan 10, why the connection is getting droped ?

2. And As you can see, in the above acl, the connection to 192.168.11.8 is permitted. Do i need to write an acl in reverse also like this

"12 permit ip host 192.168.11.8 10.10.10.0 0.0.0.255"

Ashraf

Peter Paluch · ‎03-29-2011

Hello Ashraf,

Thanks for responding. Seeing the ACL helps much to understand your issue.

1. But when i am trying to take RDP from one of the other vlan (vlan 30)
 with source ip 192.168.12.100 to 10.10.10.14(vlan 10), its not 
connecting.

Yes, that is logical. The packets from 192.168.12.100 most probably reach the destination 10.10.10.14, but when the 10.10.10.14 responds, the responses are not permitted by your ACL. The first ACL entry that actually matches these responses is the entry 40 that says:

40 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255

As you can see, it drops the packets beacuse the action is deny. If you want to allow RDP communication in particular, you should add an entry before this one, for example,

31 permit tcp 10.10.10.0 0.0.0.255 eq 3389 host 192.168.12.100

This entry is very specific to the RDP flow - feel free to make it less strict according to your needs.

2. And As you can see, in the above acl, the connection to 192.168.11.8 is permitted. Do i need to write an acl in reverse also like this

"12 permit ip host 192.168.11.8 10.10.10.0 0.0.0.255"

It depends if you have an ACL placed in the out direction on your interface. If there is no ACL in the out direction then you do not need to create any more ACL entries. The entry 12 you have suggested here does not belong to your current ACL if it inspects only the in traffic - the source would never be 192.168.11.8 and the destination would never be 10.10.0.0/16.

Best regards,

Peter