Thanks Edison,

Therefore If I append the log cmd at the end of each access-list would this force process to the hardware and therefore increment the counters?

Are L3 ACL best to be used here, or would I use VACL? Is there any reson for this?

Thanks

Hi John,

Yes we can do with the help of ACL.

just as an example:block traffic between vlan 5 and vlan 8

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every


and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

Regards

Please rate if it helps.

Thanks I guess you would apply this acl inbound.

But with the acl above which I have used there is a firewall which is vlan 1 and has a static route pointing toward the switch which has vlan 15 connected. The access list should block all internet traffic as there is no acl to permit this. But I can still access the internet?

Hi John,

ACL in switches/routers will not have explicit deny @ the end like the firewall. You have to specify it else it will go through as far as i know.

You can put a VACL to achive what you are looking for. You can permit the specific IP's that needs to access the other VLAN's and deny rest other traffic that goes through the other VLAN. Lets say..

10.16.30.0 - VLAN 50

192.168.15.0 - VLAN 1

So you want one host from 10.16.30.100 alone needs to get communicate with vlan 1 then you can put like this.

10 permit ip host 10.16.30.100 host 192.168.15.0 0.0.0.255

20 deny ip 10.16.30.0 0.0.0.255 192.168.15.0 0.0.0.255

30 permit ip any any

!

So it will allow only the access to 192.168.15.0 vlan 1 from the host 10.16.30.100 in vlan 50... rest all other trafficx from vlan 50 to vlan 1 will get denied and all other traffic will be permitted.

Please do rate if the given information helps.

By

Karthik

Hi Karthikeyan,

I'm sure the basic of Cisco acl from my ccna days was that every acl has an explict deny at the end, do you have any papers where it says otherwise as this is a big problem.

I understand I could VACL but, I don't really want to change the entire network to VACL is I can you acl.

I inital concern was that the acl had no hit counters, I therefore applied the log cmd at the end so it would need to be processed by the software.

But with the above ACL i have used, I still seem to have traffic from the internet which is passed down by the firewall enter the vlan? I mean the firewall is on a native vlan which just has static routes to the L3 switch which holds both vlans.

Hello John,

Every ACL has an implicit (i.e. invisible but still present) deny any at its end, regardless of whether it is an ACL defined on switches or on routers. In other words, what is not allowed explicitly (i.e. by a manually entered ACL entry). Karthik was somewhat unclear in what he wrote: he indicated that no ACLs have explicit (i.e. visible) deny statements automatically added in their end, which is correct. However, he also suggested that it is the reason why the traffic will go through, and this is incorrect.

However, your ACL should indeed not allow traffic other than what is explicitly permitted. How do you know that internet traffic is passing into your VLAN? Is it possible that the internet traffic is already being permitted by some ACL entries? Remember that it may be translated into private IP address space, and you have several entries in your ACL permitting selected privately addresses IP traffic.

Best regards,

Peter

Hi Peter,

Thank you for the above.

The setup I have is one asa5505 which has the following ip:

Inside:192.168.15.253

WAN: XXX.XXX.XXX.XXX

Both subnets can are allowed to be natted towards the internet.

There is static route to say if the 10 subnet wants to be reached it needs to push packets toward the L3 switch:

route inside 10.16.30.0/24 pointing towards 192.168.15.254

The L3 Switch then has the following IP address:

Vlan 1 IP: 192.168.15.254

Vlan 50 IP: 10.16.30.254

Default route to pointing toward the firewall ip 192.168.15.253.

The access-list is applied inbound to vlan 50.

As I don't have permit ip any any at the end of the acl, my understanding is when from a workstation on vlan 50 wants to acccess the internet. its src will be the 10 range ip and dest will be an www.cisco.com. Therefore the 1st packet will get out on the internet but, when the firewalls send the packet back then the packet should reach the L3 switch and before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked. At this moment the src would be www.cisco.com and des would the workstation on vlan 50.

On my acl I don't have a entry which permits src any dest vlan 50. Unless, as the acl 1st allowed the packet it will therefore also allow the return packet through. But I'm sure this is highly unlikely.

This is really strange unless I'm missing something, its allmost like acl aren't really coming into action.

Hi John,

before any packets entering (inbound acl) into vlan 50 it should go though the acl and be blocked.

You are probably confusing the ACL directions.

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere. Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

Following this logic, your ACL placed on interface VLAN 50 in the inbound direction controls the traffic that actually exits the VLAN 50 and goes out to the internet. The return traffic from internet towards VLAN 50 is outbound from interface VLAN 50, and you have no ACL in the outbound direction to filter the communication with internet.

Best regards,

Peter

Hi Peter,

Remember that the interface VLAN is a virtual interface of the "router" inside your multilayer switch. Traffic inbound to interface VLAN 50 is the traffic that originated or traverses VLAN 50 and is going to be routed elsewhere.

Understood, traffic being routed to another vlan i.e. vlan 1 or being pushed towards the default gateway.

Traffic outbound to interface VLAN 50 is the traffic that came from other VLANs and is sent into VLAN 50. Does this make sense?

See, I see this has traffic inbound because traffic is sent into vlan 50, but this time the traffic did not originate on vlan 50, is this what your trying to mean?

My understanding of inbound is when traffic enters an interface which is from the outside and outbound is when traffic leaves an interface. With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Please correct me if I'm wrong, really apperciate your help.

Hi John,

See, I see this has traffic inbound because traffic is sent into vlan  50, but this time the traffic did not originate on vlan 50, is this what  your trying to mean?

I am sorry - I do not understand this question. Perhaps you could rephrase it differently.

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.

This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.

With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.

Well, if internet traffic comes into interface VLAN 1 and is routed out interface VLAN 50, it is inbound to interface VLAN 1 and outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as

70 permit udp 10.16.30.0 0.0.0.255 any eq domain

80 permit tcp 10.16.30.0 0.0.0.255 any eq domain

90 permit tcp 10.16.30.0 0.0.0.255 any eq www

95 permit tcp 10.16.30.0 0.0.0.255 any eq 443

100 permit icmp 10.16.30.0 0.0.0.255 any

the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.

Best regards,

Peter

My understanding of inbound is when traffic enters an interface which is  from the outside and outbound is when traffic leaves an interface.
This seems to be correct. For VLAN 50, traffic that was sent by stations in VLAN 50 and addressed to destinations in a different network is inbound to interface VLAN 50. The traffic flowing in the opposite direction (e.g. the responses to requests sent from within VLAN 50) is outbound from interface VLAN 50.
With this in mind, the acl should be checked and the traffic from the internet enters into vlan 50 from from vlan 1.
Well, if internet traffic comes into interface VLAN 1 and is  AA* routed out interface VLAN 50, it is inbound to interface VLAN 1 and AB* outbound from interface VLAN 50, right? You have yourself indicated that your ACL is placed in the inbound direction on the interface VLAN 50. That means that it filters requests going to internet but it does not apply to flows from the internet back to VLAN 50. And because your ACL contains lines as
70 permit udp 10.16.30.0 0.0.0.255 any eq domain
80 permit tcp 10.16.30.0 0.0.0.255 any eq domain
90 permit tcp 10.16.30.0 0.0.0.255 any eq www
95 permit tcp 10.16.30.0 0.0.0.255 any eq 443
100 permit icmp 10.16.30.0 0.0.0.255 any
the VLAN 50 can access the DNS, HTTP and HTTPS services anywhere on the internet. Responses from these services are not filtered because there is no outbound ACL on interface VLAN 50.
Best regards,
Peter

Hi Peter,

I have made marks on your text and replied:

AA* When I read your reply at the point of AA* traffic enters VLAN 50 from VLAN 1 therefore as the acl in inbound it should apply.

AB* I would see this as inbound to vlan 1 and then when routed also inbound to vlan 50 and then outbound to vlan 50.

My concern is at the point on when the packets are being routed the acl should apply. I think when the routing takes place as the packet is already within the router/switch the acl does not apply. Whereas I think it should do when the switch looks at the routing table and pushes each packet to vlan 50. I guess I need to think of the acl as being applied to a physical/sub interface not a SVI, which is maybe where I'm going wrong. If I place myself right in the middle of the switch then your reply becomes true.

Would you agree with the above?