12-11-2015 04:50 PM - edited 03-08-2019 03:04 AM
Hi,
I'm in the process of configuring a few VLANs in a WS-3650-48 switch. I'm a bit unsure about some of the logic that I'm using to create ACLs for in and out traffic in the VLAN interfaces.
Assume:
int vlan 10
ip address 192.168.100.0 255.255.255.0
int vlan 20
ip address 192.168.200.0 255.255.255.0
Say, for example, that I need to allow host 192.168.100.5 from VLAN10 to the entire subnet configured VLAN20 on port 80.
If my requirements indicate that all interfaces must have an in and out ACL, how many rules should I create in this case?
That is, a rule such as this:
ip access-list 101 permit host 192.168.100.5 192.168.200.0 0.0.0.255 eq www
could be applied to the OUT ACL in VLAN 10 and the IN ACL in VLAN 20.
But is this overkill, and could I just apply to the OUT ACL in VLAN10?
Consequently, would I have to create a rule that allows traffic back from 192.168.70.0/24 into 192.168.100.5?
It's likely that I will not have a permit all rule at the end of these ACLs so I have to be explicit about what I allow in and out in each VLAN.
Thanks
Solved! Go to Solution.
12-14-2015 10:01 AM
That is correct. You can apply both IN and OUT on the same interface and switch inspects both inbound and outbound traffic against IN and OUT access-group.
However, you can manage to use only one direction.
I would say only OUT for interface VLAN. If you config only OUT on all interface VLANs, you will have the consistency(except Internet interface).
OUT mean traffic from interface VLAN to host. It means a host can goes out of interface VLAN(IN direction which is not configured) freely, but will be controlled when travelling from switch to different VLAN (OUT)
In this way all traffic between VLANs will be controlled.
Just try to understand the OUT and IN direction.
Traffic from host to interface VLAN checks by IN access-list
Traffic from interface VLAN to host checks by OUT access-list .
int VLAN 10
ip address 192.168.100.0 255.255.255.0
ip access-group 101 OUT
Traffic from 192.168.100.0 goes out of interface VLAN 10 freely. ALL traffic from other sources comes to VLAN 10 will be checked against access-list 101
Looks like a parking lot :)
int VLAN 20
ip address 192.168.200.0 255.255.255.0
ip access-group 102 OUT
Similar to previous one
Hope it helps
Masoud
12-11-2015 06:22 PM
Hello,
Your first question
ip access-list 101 permit host 192.168.100.5 192.168.200.0 0.0.0.255 eq www
int VLAN 10
ip address 192.168.100.0 255.255.255.0
ip access-group 101 IN
int VLAN 20
IP access-group 101 out
ip address 192.168.200.0 255.255.255.0
If you only configure these access-groups above on your interfaces, you do not need to configure your second rule.
However, if you are going to configure below access-groups on your interfaces, you need to add rules for return traffic.(Your second access-list)
int VLAN 10
ip access-group 101 OUT
int VLAN 20
IP access-group 101 IN
General rules.
Traffic from host to interface VLAN checks by IN access-list
Traffic from interface VLAN to host checks by OUT access-list .
Hope it helps,
Masoud
12-13-2015 03:44 PM
If there are no access lists, is the default to permit all between VLANs or deny?
12-13-2015 04:01 PM
Hello,
If there are no access-groups configured on the interface, traffic is allowed.
Masoud
12-14-2015 08:08 AM
Masoud,
Thanks for the reply. I know how to configure the ACLs so the work for each interface. In fact, in the configurations that I'm considering, VLAN 10 and VLAN 20 will have their own ACLs because there'll be some rules that apply to one and not the other. However, I still don't have clear what the most efficient method is to configure both in and out ACLs in the same VLAN. I know that the general configuration will be something like:
int VLAN 10
ip address 192.168.100.0 255.255.255.0
ip access-group 101 IN
ip access-group 102 OUT
where access-list 102 will have all the rules for traffic that is allowed out of this interface.
Likewise, VLAN20 would have its own ip access-group OUT statement to control the traffic allowed out in that interface.
But given the requirement of IN and OUT ACLs at every interface, for every connection between two hosts, A and B, that are in two different VLANs, I'm likely going to need to configure 4 rules. For example:
1. Allow host A OUT of its VLAN to connect to host B
2. Allow host A IN to the destination VLAN of host B
3. Allow host B OUT of its own VLAN for the return traffic back to the the VLAN of host A
4. Allow host B IN to the VLAN of host A for return traffic.
This is going to add considerably to the number of ACLs that the switch will have to look through. It also will add to the complexity of the ACLs that I'll have to manage.
Am I missing something here?
12-14-2015 10:01 AM
That is correct. You can apply both IN and OUT on the same interface and switch inspects both inbound and outbound traffic against IN and OUT access-group.
However, you can manage to use only one direction.
I would say only OUT for interface VLAN. If you config only OUT on all interface VLANs, you will have the consistency(except Internet interface).
OUT mean traffic from interface VLAN to host. It means a host can goes out of interface VLAN(IN direction which is not configured) freely, but will be controlled when travelling from switch to different VLAN (OUT)
In this way all traffic between VLANs will be controlled.
Just try to understand the OUT and IN direction.
Traffic from host to interface VLAN checks by IN access-list
Traffic from interface VLAN to host checks by OUT access-list .
int VLAN 10
ip address 192.168.100.0 255.255.255.0
ip access-group 101 OUT
Traffic from 192.168.100.0 goes out of interface VLAN 10 freely. ALL traffic from other sources comes to VLAN 10 will be checked against access-list 101
Looks like a parking lot :)
int VLAN 20
ip address 192.168.200.0 255.255.255.0
ip access-group 102 OUT
Similar to previous one
Hope it helps
Masoud
12-12-2015 07:04 AM
Hello,
With Access control list definition , you can follow a thumb rule to apply all near the source with in direction with immediate interface.
With IN direction first ACL is getting scanned first and then routing table comes in picture.
So , what happen when you apply OUT direction ACL under interface towards destination where packet leave the interface.
Here routing decision happens and then ACL is applied to get into destination end.
Hope it Helps..
-GI
Rate if it Helpss
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide