Re: ACL's and InterVLAN routing/switching

Eric Snijders · ‎08-28-2017

Could somebody explain how i should look/use ACL's when a packet travels through different VLAN's?

For example, the following topology:

- The 192.168.x.x subnets are subinterfaces on the ASA's.

- The 10.0.10.0/24 network is VLAN50

- The 192.168.x.x networks are VLAN10, 20, 30 and 40.

- All the routing to eachothers subnets is being done over VLAN10.

Now, let's say i want to ping from 192.168.10.1 (VLAN10) to 192.168.40.1 (VLAN40), what will the traffic flow be?

Is it like this?

1. Source 192.168.10.1 (VLAN10) --> Destination 10.0.10.2 (VLAN50)

2. Source 10.0.10.2 (VLAN50) --> Destination 192.168.40.1 (VLAN40)?

And if it's like that, should i also look at it that way with ACL's? So:

1. Inbound VLAN10 --> Inbound VLAN50 --> Inbound VLAN40?

Seb Rupik · ‎08-29-2017

Hi Eric,

The source and destination IP address never change unless there is NAT taking place on those particular IP's / subnets. As a packet travels through different VLANs/ subnets its IP header will remain unchanged, it is its Layer2 header that will be modified to reflect the segment it is traveling along.

Regarding your ACLs, providing the above statement is true, filter with those IPs.

cheers,

Seb.

Eric Snijders · ‎08-29-2017

Hi Seb,

Thanks for the info. So, if the IP header is never changed, would the flow in my example be:

- Source 192.168.10.1 (VLAN10) --> Destination 192.168.40.1 (VLAN40)?

And if i'm talking about VLAN's, it would be:

- 192.168.10.1 inbound on VLAN10 --> 192.168.10.1 inbound on VLAN50 --> 192.168.10.1 inbound on VLAN40.

Am i right?

Seb Rupik · ‎08-29-2017

Yes, that's correct.

cheers,

Seb.