Solved: acl issue in L3 Switch SVI - Page 2

Jacob Samuel · ‎07-17-2011

HI

I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.

I have a L3 switch with 3 vlans

Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)

Vlan 10 - Server-Vlan - 172.16.10.1/24

Vlan 11 - User-Vlan - 172.16.11.1/24

I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.

I want all in my network to access any thing outside the network.

i tried to configure acl as below-

!

access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255

!

int vlan 1

ip add 172.16.1.1 255.255.255.0

ip access-group 101 in

!

When i am trying from outisde (172.16.100.1) -

Ping 172.16.10.1 - Good (expected)

Ping 172.16.11.1 - NOT (expected)

When I am trying to ping from inside Server-Vlan (172.16.10.1)

Ping 172.16.100.1 - Good

The problem -

When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply

what is wrong happening here in this scenario?

regards

Sunny

Jacob Samuel · ‎07-27-2011

Hi Jon,

Thanks a lot for the update. I was trying it on the dynamips. I am waiting for the devices to test it on, i will check the scenario and will comes back to you. Thanks alot again, sure you are always great help to me in troubles.

Thanks & Regards

Sunny

Jacob Samuel · ‎09-26-2011

Hi Jon,

I was working on the ACL for the above issue. i have found the below thigs-

int vlan 1

des Routing vlan

ip 172.16.1.1 255.255.255.0

ip access-group 110 in

!

int vlan 10

des server vlan

ip 172.16.10.1 255.255.255.0

!

int vlan 11

des Users

ip add 172.16.11.1 255.255.255.0

ip access-group 100 in

!

acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.

-

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255

ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255

....

And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.

access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255

access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255

access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255

access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255

...

what i understood,

for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.

for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.

But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-

If i call inbound means the traffic coming in to that vlan initerface from Outside

If i call outbound means the traffic that going out through that interface.

so i ddint call any acl in outbound direction as of now.

Dear Jon, thanks for taking time to describing the scenario in detail before.

please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!

Thanks and Regards

Suuny