another acl in/out question

dannan lin · ‎11-23-2011

hi:

i have a router on a stick setup.

there are three vlans

(vlan 10, net:10.10.10.0

vlan 20, net 20.20.20.0

vlan 30,net 30.30.30.0 )

i want to keep each vlan separated to each other.

so the acl command i used in router are:

access-list 1 deny 20.20.20.0 0.0.0.255

access-list 1 deny 30.30.30.0 0.0.0.255

access-list 1 permit any

access-list 2 deny 30.30.30.0 0.0.0.255

access-list 2 deny 10.10.10.0 0.0.0.255

access-list 2 permit any

access-list 3 deny 10.10.10.0 0.0.0.255

access-list 3 deny 20.20.20.0 0.0.0.255

access-list 3 permit any

my tried to apply "in"for the acl direction

i.e.

interface FastEthernet0/0.3

encapsulation dot1Q 30

ip address 30.30.30.30 255.255.255.0

ip access-group 3 in

i applied three "in" for each interface. but each vlan can still ping each other.

and then i changed direction to "out" ,surprising it worked.

My question is why "in"direction did not work. i thought i could block all traffic coming into the router. i.e.

on vlan 10

access-list 1 deny 20.20.20.0 0.0.0.255

access-list 1 deny 30.30.30.0 0.0.0.255

i reject all traffic with source network 20.20.20.0 and 30.30.30.0 comming to the interface f0/0.1

it make sense doesn't it ? but why it dosn't work? why i must use "out" here?

thanks in advance.

below is complete config

ip dhcp pool v10

network 10.10.10.0 255.255.255.0

default-router 10.10.10.10

ip dhcp pool v20

network 20.20.20.0 255.255.255.0

default-router 20.20.20.20

ip dhcp pool v30

network 30.30.30.0 255.255.255.0

default-router 30.30.30.30

!

interface Loopback99

ip address 170.1.1.1 255.255.0.0

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 10

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 2 out

!

interface FastEthernet0/0.3

encapsulation dot1Q 30

ip address 30.30.30.30 255.255.255.0

ip access-group 3 in

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

access-list 1 deny 20.20.20.0 0.0.0.255

access-list 1 deny 30.30.30.0 0.0.0.255

access-list 1 permit any

access-list 2 deny 30.30.30.0 0.0.0.255

access-list 2 deny 10.10.10.0 0.0.0.255

access-list 2 permit any

access-list 3 deny 10.10.10.0 0.0.0.255

access-list 3 deny 20.20.20.0 0.0.0.255

access-list 3 permit any

!

line con 0

line vty 0 4

login

!

end

Giuseppe Larosa · ‎11-23-2011

Hello Dannan,

you are using standard access-lists that look for the IP source address of packets only regardless of direction of application.

the way you write the ACLs make them working like you want only when applied outbound.

in addition to this you have to take in account that packets that are locally generated on the router are not dropped by outbound ACLs.

if you use an extended ACL like

access-list 101 deny ip any 20.20.20.0 0.0.0.255

access-list 101 deny ip any 30.30.30.0 0.0.0.255

access-list 101 permit ip any any

this can be applied inbound on the first subinterface

notice that an extended ACL like the one above matches on source and destination addresses and so the IP subnets of the other two subinterfaces have been moved to the destination part

Hope to help

Giuseppe

dannan lin · ‎11-23-2011

hello Giuseppe:

thanks for your help .

Reza Sharifi · ‎11-23-2011

Basically, it is the other way around.

if you apply an access list inbound, it filters traffic coming from end devices in that vlan

if you apply an access list outbound, it filters traffic going to end devices in that vlan

Define In, Out, Inbound, Outbound, Source, and Destination

The router uses the terms in, out, source, and destination as references. Traffic on the router can be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the source of the truck is Maryland and the destination of the truck is New York. The roadblock could be applied at the Pennsylvania–New York border (out) or the Maryland–Pennsylvania border (in).

When you refer to a router, these terms have these meanings.

Out—Traffic that has already been through the router and leaves the interface. The source is where it has been, on the other side of the router, and the destination is where it goes.
In—Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes, on the other side of the router.
Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
Outbound—If the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The out ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.

Here is the doc:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

HTH

Giuseppe Larosa · ‎11-23-2011

Hello Reza,

original poster was using standard ACLs, however you have provided plenty of useful information and links

Best Regards

Giuseppe