Solved: Inter vlan ACL

rballester1 · ‎10-20-2014

Hello

i need two thing

deny trafic from other vlans to 13 and 14. (OK)
permit traffic between vlan 13 and 14.

i get the first point but i can´t see computers between vlans 13 and 14

this is my configuration:

!

interface Vlan11

ip address 30.20.12.1 255.255.255.0

!

interface Vlan12

description *** vlan whit internet access ***

ip address 30.20.20.1 255.255.255.0

!

interface Vlan13

description *** Switch vlan ****

ip address 192.168.31.1 255.255.255.0

ip access-group 100 in

!

interface Vlan14

description *** network admin ***

ip address 30.30.30.1 255.255.255.0

ip access-group 101 in

!

access-list 100 permit ip 30.30.30.0 0.0.0.255 192.168.31.0 0.0.0.255

access-list 101 permit ip 192.168.31.0 0.0.0.255 30.30.30.0 0.0.0.255

!

i know other forms but i want avoid make access list that need modifications when a add a new interface vlan, and filter only incoming traffic to vlan 13 and 14 not filter outgoing traficc for each vlan, i need "best practic" for this scenarios

best regards!!!

houtan haddadlarijani · ‎10-20-2014

Using router ACL on SVI is little tricky.

If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN access ports.”
If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN″

in your case just change "in" to "out" for both of your interfaces. your problem will be solved.

!

interface Vlan13

description *** Switch vlan ****

ip address 192.168.31.1 255.255.255.0

ip access-group 100 OUT

!

interface Vlan14

description *** network admin ***

ip address 30.30.30.1 255.255.255.0

ip access-group 101 OUT

!

Anyway using Vlan ACL is more efficient way.

Rgrds

View solution in original post

Carlos de Armas · ‎10-20-2014

I think your best bet is to deny the traffic before its proccesed by the router, so you save cpu resources by denying in the inside of the vlans 11 and 12:

interface Vlan11
ip address 30.20.12.1 255.255.255.0
ip access-group 100 in

interface Vlan12
ip address 30.20.20.1 255.255.255.0
ip access-group 101 in

interface Vlan13
ip address 192.168.31.1 255.255.255.0

interface Vlan14
ip address 30.30.30.1 255.255.255.0

access-list 100 deny ip 30.20.12.1 255.255.255.0 192.168.31.0 255.255.255.0
access-list 100 deny ip 30.20.12.1 255.255.255.0 30.30.30.0 255.255.255.0
access-list 100 permit ip any any
access-list 101 deny ip 30.20.20.1 255.255.255.0 192.168.31.0 255.255.255.0
access-list 101 deny ip 30.20.20.1 255.255.255.0 30.30.30.0 255.255.255.0
access-list 101 permit ip any any

houtan haddadlarijani · ‎10-20-2014

Using router ACL on SVI is little tricky.

If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN access ports.”
If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN″

in your case just change "in" to "out" for both of your interfaces. your problem will be solved.

!

interface Vlan13

description *** Switch vlan ****

ip address 192.168.31.1 255.255.255.0

ip access-group 100 OUT

!

interface Vlan14

description *** network admin ***

ip address 30.30.30.1 255.255.255.0

ip access-group 101 OUT

!

Anyway using Vlan ACL is more efficient way.

Rgrds

rballester1 · ‎10-20-2014

Thanks Houtan H Larijani i solved the issue, as you say "just change in by out" now i going to try to understand why inbound traffic is out ACL and vice versa.

one more question:

Is it this solutions lest cpu cost efective?

regards

houtan haddadlarijani · ‎10-20-2014

CPU usage is directly related to your ACL size and where it's going to be processed.

Most ACL features are processed in hardware, but Some features are processed in software, based on your supervisor model you have to check if any of these are true.

Anyway, this usually negligible for a switch with low utlization

Rgrds