Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

Confused with ACL rules on 3750E switches

Matt Dunleavy
Level 1
Level 1

‎02-05-2017 09:53 PM - edited ‎03-08-2019 09:12 AM

Hi all,

I have a 3750E switch in routing mode, with 3 vlans.

I have 2 questions, I have created an ip access group "in", but for it to work have to specify the subnet in the ACL rule, I would have thought it would be the other subnet coming "in"

If I am not making my self clear, sorry here is what works and what doesnt.

This code works:

ip address 172.16.1.1 255.255.255.0
 ip access-group ACL2010 in
ip access-list extended ACL2010
 permit ip 172.16.1.0 0.0.0.255 any

This is what I think it should be (but doesn't work):

ip address 172.16.1.1 255.255.255.0
 ip access-group ACL2010 in
ip access-list extended ACL2010
 permit ip 192.168.10.0 0.0.0.255 any

Now my second question is, I have a static route to an ASA on vlan 300. However, when I install a PC in this subnet, I do not need any ACL rules, everything flows between both the 192 and 172.16 going to and from the 172.31 even though I haven't defined any rules. Why is this?

Full Config (working):

interface Vlan100
 description DMZ
 ip address 172.16.1.1 255.255.255.0
 ip access-group ACL2010 in
!
interface Vlan200
 description Inside
 ip address 192.168.10.1 255.255.255.0
 ip access-group ACL1020 in
!
interface Vlan300
 description ASA Vlan
 ip address 172.31.0.6 255.255.255.248
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.31.0.1
!
ip http server
ip http secure-server
!
ip access-list extended ACL1020
 permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL2010
 permit ip 172.16.1.0 0.0.0.255 any
!
Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎02-06-2017 12:30 AM

Hello,

the confusion might come from the fact that 'in' and 'out' do not refer to source and destination, but to the inbound and outbound interface on the router. 

So, 'in' traffic is traffic that has arrived on the interface on which the access list is applied, and, if a match is found, is then permitted to go through the router.

'Out' traffic is traffic that has already passed through the router, and that is leaving the interface on which the access list has been applied..

ip address 172.16.1.1 255.255.255.0
ip access-group ACL2010 in
ip access-list extended ACL2010
permit ip 172.16.1.0 0.0.0.255 any

--> This allows all traffic sourced from 172.16.1 0/24 to anywhere. It is the same as having no access list at all configured.

ip address 172.16.1.1 255.255.255.0
ip access-group ACL2010 in
ip access-list extended ACL2010
permit ip 192.168.10.0 0.0.0.255 any

--> This denies all traffic (due to the implicit 'deny'). If you want to restrict the access to and from only 192.168.10.0/24, you need this:

ip address 172.16.1.1 255.255.255.0
ip access-group ACL2010 in
ip access-list extended ACL2010
permit ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any any

ip access-list extended ACL1020
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ACL2010
permit ip 172.16.1.0 0.0.0.255 any

--> the same applies here. The access lists allow everything, and are the same as no access list at all.

0 Helpful

Matt Dunleavy
Level 1
Level 1
In response to Georg Pauwen

‎02-06-2017 02:13 PM

Thank you, this makes sense. Which is why the vlan300 works with no issues because by default its allowed.

So this means, that if something other than 192.x is attempting to come through to the port interface it will be blocked right? So as soon as I had set that ACL, only what is permitted on the ACL is allowed - even if I am not using the switch as the gateway?

Say i have 2 machines on the same vlan 100 and they are 10.x.x.x (they don't route via any gateway on the switch, but they communicate on ports on the switch, these would be blocked then?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Matt Dunleavy

‎02-06-2017 03:06 PM

Hello Matt,

exactly. The access list has an implicit deny, so whatever you do not specifically allow will be denied.

Two machines on the same Vlan will always be able to communicate, since traffic between them would not flow through the layer 3 Vlan interface. If you want to filter traffic between hosts on the same Vlan, you need a VLAN Access List (VACL). The link below gives you an example on how it works

https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card