Solved: Re: Interface Direction

hs08 · ‎07-24-2024

Hello,

Anyone can make me mor understand about traffic direction in physical interface and vlan interface?

Scenario 1:
Router Interface g0/1 connected to LAN, and Interface g0/2 connected to INTERNET. When i assign output QoS Policy on interface g0/2, which one will be as source?

Scenario 2:
I have VLAN 100 with subnet 10.7.100.0/24 then I want to apply access-group IN on this VLAN. When creating extended access list should i entry permit ip 10.7.100.0 0.0.0.255 any, or permit ip any 10.7.100.0 0.0.0.255 for example?

Joseph W. Doherty · ‎07-25-2024

Hmm, so far none of the replies appear to answer your specific questions.

For scenario 1, source would be LAN IPs.

For scenario 2,

permit ip 10.7.100.0 0.0.0.255 any

View solution in original post

balaji.bandi · ‎07-24-2024

check from my notes :

IN any packet coming to the router is considered as inbound.

OUT any packet going out of the router is considered as outbound.

in acl, we usually use it at interface,

any packet entering to interface is considered as inbound by ACL.

any packet leaving out of interface is considered as outbound by ACL

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#sourcedefine

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎07-25-2024

@balaji.bandi is correct.

For SVIs, think of OUT as toward VLAN's subnet IPs and IN as from VLAN's subnet IPs.

Or, think of a L2 switch connected to a router. IN and OUT would be the same as for router's physical interface.

MHM Cisco World · ‎07-25-2024

Joseph W. Doherty · ‎07-25-2024

BTW, what @MHM Cisco World is showing is correct.

MHM Cisco World · ‎07-25-2024

Thanks

MHM

Joseph W. Doherty · ‎07-25-2024

@MHM Cisco World wrote:

it for SVI ACL not for physical
please be sure again before answer

MHM

Yup, it's I who had it backwards!

Corrected my other replies.

Thank you.

PS:

BTW, do try to be sure of my replies, but I do get it wrong, occasionally. One nice thing about these forums, with an implicit "peer review", incorrect information usually gets called out.

hs08 · ‎07-25-2024

In this pic when i want to denied some hosts under vlan 10 to vlan 20 by configure access-group IN on vlan 20, the ACL should be deny ip host 10.10.10.10 any or deny ip any host 10.10.10.10?

MHM Cisco World · ‎07-26-2024

deny ip any host 10.10.10.10 <<- if it config under vlan 20 direction IN

MHM

Joseph W. Doherty · ‎07-26-2024

@MHM Cisco World wrote:

deny ip host 10.10.10.10 any

Because Inbound for SVI of from host in same subnet of SVI not from different subnet.

MHM

After my last flub, it's with trepidation I ask, wouldn't the answer be deny ip any host 10.10.10.10?

OP asked for an in ACL on VLAN 20 SVI. So, such an ACL would need to block return traffic from VLAN 20 (src) to VLAN 10 (dst), yes?

MHM Cisco World · ‎07-26-2024

Get it

Thanks

MHM

Joseph W. Doherty · ‎07-26-2024

@hs08 just some other options for using those two ACEs. . .

deny ip host 10.10.10.10 any

Could be used as an in for SVI 10, where it blocks the host from sending any traffic out of VLAN 10

Could also be used as an out for SVI 20 where it blocks VLAN 20 from receiving any traffic from that one host.

deny ip any host 10.10.10.10

Could be used as an in for SVI 20, where it blocks all of VLAN 20 from sending any traffic to that host.

Could also be used as an out for SVI 10 where it blocks that host from receiving any traffic external to VLAN 10.

Remember a single ACL applies to one direction of traffic but traffic can be bidirectional (although bidirectional conversations are broken even if just one direction is blocked). So, to guarantee no traffic, you would need two ACLs.

Next, keep mind the scope of any. As above, its implied scope changes when applied on SVI 10 vs. 20. This issue can be negated by using a specific network.

For example, rather than

deny ip host 10.10.10.10 any

perhaps

deny ip host 10.10.10.10 10.10.20.0 0.0.0.255

Lastly, an old recommendation of ACL applications is, to drop traffic ASAP. This would suggest using an in ACL, but if blocking bidirectional traffic, related in ACL ACEs relationships, on different interfaces (possibly on different devices), can be easily overlooked. So, for maintainability, an in and out on the same interface can be better. (For a case of a specific host, often its gateway interface might be the better choice, as the ACL, logically, is near the targeted host.)

Joseph W. Doherty · ‎07-25-2024

Hmm, so far none of the replies appear to answer your specific questions.

For scenario 1, source would be LAN IPs.

For scenario 2,

permit ip 10.7.100.0 0.0.0.255 any