How ACL works

Hemakumar Sampath · ‎10-03-2012

I have a Layer 3 vlan created in the swith and also a ACL is binded to it.

Issue: I tried to telnet the host which is connected to the same vlan from the switch, ( Source is from the switch and destination is a host connected to the same vlan ). Will it check the ACL binded to the vlan.

Observation :

When i telneted the destination form the switch with ACL ( it was failure )

Post removing the ACL it went through

Source IP : 10.242.3.1 ( Interface ip created in the switch )

Destination IP : 10.242.3.97

Additional information

Please find the vlan details

interface Vlan10

description CISCO

ip address 10.242.3.1 255.255.255.0

ip access-group ACL in

ip helper-address 10.242.25.11

ip helper-address 10.242.25.14

no ip redirects

no ip unreachables

no ip proxy-arp

end

cadet alain · ‎10-03-2012

Hi,

No it won't as traffic sourced from the switch is going outbound not inbound and furthermore it the ACL was outbound

it wouldn't match traffic generated by the switch( outbound ACLs only match forwarded traffic)

Regards.

Alain

Don't forget to rate helpful posts.

Hemakumar Sampath · ‎10-03-2012

I aree with your point but when the packet is returned from host to the switch, will it check the ACL - this is my question.

Please find the hits in the acl which we enabled for testing purpose.( this suggests it is checking the ACL )

Extended IP access list VLAN-RESTRIC-EXCEP

5 permit tcp host 10.242.3.97 host 10.242.3.1 (24 matches)

cadet alain · ‎10-03-2012

Hi,

yes in this case of course the host traffic will hit the Vlan interface inbound so if you applied your second ACL inbound this is normal .

Regards.

Alain

Don't forget to rate helpful posts.

Hemakumar Sampath · ‎10-03-2012

However when i dont enable the ACL i able to ping the host from the switch but not able to do telnet on the requested port.

Please expain this.

cadet alain · ‎10-03-2012

Hi,

telnet which device from which device and on which port ?

Regards.

Alain

Don't forget to rate helpful posts.

Hemakumar Sampath · ‎10-03-2012

Source IP 10.242.3.1 ( L3 Interface created in the switch )

Destination IP: 10.242.3.97 ( Remote PC )

Port : TCP 3389

I did the telnet from the switch.

cadet alain · ‎10-03-2012

Hi,

so you apply inbound on VLAN10 this ACL:

Extended IP access list VLAN-RESTRIC-EXCEP

5 permit tcp host 10.242.3.97 host 10.242.3.1

and pinging this host is ok but not the telnet, right ?

Regards.

Alain

Don't forget to rate helpful posts.

Hemakumar Sampath · ‎10-03-2012

Nope..

Initially there is no acl related to this source during that time i was able to ping but not able to telnet, post i have added this ACL to check if the problem could be with ACL so i applied this line

( 5 permit tcp host 10.242.3.97 host 10.242.3.1 ) post i was able to telnet.

cadet alain · ‎10-03-2012

Hi,

ok, so what was the ACL you applied to the interface when the ping was working but not the telnet to RDP port ?

Regards.

Alain

Don't forget to rate helpful posts.

Zubair.Sayed_2 · ‎10-03-2012

Can you paste the config of the actual ACL - VLAN-RESTRIC-EXCEP ?