Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5608
Views
5
Helpful
6
Replies

Creating Access Lists in Multiple VLAN Interfaces

Go to solution
julito4589
Level 1
Level 1

‎12-11-2015 04:50 PM - edited ‎03-08-2019 03:04 AM

Hi,

I'm in the process of configuring a few VLANs in a WS-3650-48 switch. I'm a bit unsure about some of the logic that I'm using to create ACLs for in and out traffic in the VLAN interfaces.  

Assume:

int vlan 10

 ip address 192.168.100.0 255.255.255.0

int vlan 20

 ip address 192.168.200.0 255.255.255.0

Say, for example, that I need to allow host 192.168.100.5 from VLAN10 to the entire subnet configured VLAN20 on port 80.

If my requirements indicate that all interfaces must have an in and out ACL, how many rules should I create in this case? 

That is, a rule such as this:

ip access-list 101 permit host 192.168.100.5 192.168.200.0 0.0.0.255 eq www

could be applied to the OUT ACL in VLAN 10 and the IN ACL in VLAN 20.

But is this overkill, and could I just apply to the OUT ACL in VLAN10?

Consequently, would I have to create a rule that allows traffic back from 192.168.70.0/24 into 192.168.100.5?

It's likely that I will not have a permit all rule at the end of these ACLs so I have to be explicit about what I allow in and out in each VLAN. 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to julito4589

‎12-14-2015 10:01 AM

That is correct. You can apply both IN and OUT on the same interface and switch inspects both inbound and outbound traffic against IN and OUT access-group.

However, you can manage to use only one direction.

I would say only OUT for interface VLAN. If you config only OUT on all interface VLANs, you will have the consistency(except Internet interface).

OUT mean traffic from interface VLAN to host. It means a host can goes out of interface VLAN(IN direction which is not configured) freely, but will be controlled when travelling from switch to  different VLAN (OUT)

In this way all traffic between VLANs will be controlled.

Just try to understand the OUT and IN direction.

Traffic from host to interface VLAN checks by IN access-list

Traffic from interface VLAN to host checks by OUT access-list .

int VLAN 10

ip address 192.168.100.0 255.255.255.0

ip access-group 101 OUT

Traffic from 192.168.100.0 goes out of interface VLAN 10 freely. ALL traffic from other sources comes to VLAN 10 will be checked against access-list 101

Looks like a parking lot :)

int VLAN 20

ip address 192.168.200.0 255.255.255.0

ip access-group 102 OUT

Similar to previous one

Hope it helps

Masoud

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎12-11-2015 06:22 PM

Hello,

Your first question

ip access-list 101 permit host 192.168.100.5 192.168.200.0 0.0.0.255 eq www

int VLAN 10

ip address 192.168.100.0 255.255.255.0

ip access-group 101  IN  

int VLAN 20

IP access-group 101 out

ip address 192.168.200.0 255.255.255.0

If you only configure these access-groups above on your interfaces, you do not need to configure your second rule.

However, if you are going to configure below access-groups on your interfaces, you need to add rules for return traffic.(Your second access-list)

int VLAN 10

ip access-group 101 OUT

int VLAN 20

IP access-group 101 IN

General rules.

Traffic from host to interface VLAN checks by IN access-list

Traffic from interface VLAN to host checks by OUT access-list .

Hope it helps,

Masoud

0 Helpful

Go to solution
pgkool001
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-13-2015 03:44 PM

If there are no access lists, is the default to permit all between VLANs or deny?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to pgkool001

‎12-13-2015 04:01 PM

Hello,

If there are no access-groups configured on the interface, traffic is allowed.

Masoud

0 Helpful

Go to solution
julito4589
Level 1
Level 1
In response to Masoud Pourshabanian

‎12-14-2015 08:08 AM

Masoud,

Thanks for the reply. I know how to configure the ACLs so the work for each interface. In fact, in the configurations that I'm considering, VLAN 10 and VLAN 20 will have their own ACLs because there'll be some rules that apply to one and not the other. However, I still don't have clear what the most efficient method is to configure both in and out ACLs in the same VLAN. I know that the general configuration will be something like:

int VLAN 10

ip address 192.168.100.0 255.255.255.0

ip access-group 101  IN  

ip access-group 102 OUT

where access-list 102 will have all the rules for traffic that is allowed out of this interface. 

Likewise, VLAN20 would have its own ip access-group OUT statement to control the traffic allowed out in that interface. 

But given the requirement of IN and OUT ACLs at every interface, for every connection between two hosts, A and B,  that are in two different VLANs, I'm likely going to need to configure 4 rules. For example:

1. Allow host A OUT of its VLAN to connect to host B

2. Allow host A IN to the destination VLAN of host B

3. Allow host B OUT of its own VLAN for the return traffic back to the the VLAN of host A

4. Allow host B IN to the VLAN of host  A for return traffic.

This is going to add considerably to the number of ACLs that the switch will have to look through. It also will add to the complexity of the ACLs that I'll have to manage. 

Am I missing something here?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to julito4589

‎12-14-2015 10:01 AM

That is correct. You can apply both IN and OUT on the same interface and switch inspects both inbound and outbound traffic against IN and OUT access-group.

However, you can manage to use only one direction.

I would say only OUT for interface VLAN. If you config only OUT on all interface VLANs, you will have the consistency(except Internet interface).

OUT mean traffic from interface VLAN to host. It means a host can goes out of interface VLAN(IN direction which is not configured) freely, but will be controlled when travelling from switch to  different VLAN (OUT)

In this way all traffic between VLANs will be controlled.

Just try to understand the OUT and IN direction.

Traffic from host to interface VLAN checks by IN access-list

Traffic from interface VLAN to host checks by OUT access-list .

int VLAN 10

ip address 192.168.100.0 255.255.255.0

ip access-group 101 OUT

Traffic from 192.168.100.0 goes out of interface VLAN 10 freely. ALL traffic from other sources comes to VLAN 10 will be checked against access-list 101

Looks like a parking lot :)

int VLAN 20

ip address 192.168.200.0 255.255.255.0

ip access-group 102 OUT

Similar to previous one

Hope it helps

Masoud

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎12-12-2015 07:04 AM

Hello,

With Access control list definition , you can follow a thumb rule to apply all near the source with in direction with immediate interface.

With IN direction first ACL is getting scanned first and then routing table comes in picture.

So , what happen when you apply OUT direction ACL under interface towards destination where packet leave the interface.

Here routing decision happens and then ACL is applied to get into destination end.

Hope it Helps..

-GI

Rate if it Helpss

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card