Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2571
Views
0
Helpful
5
Replies

ACL's on layer 3 vlans

Go to solution
Yannick Vranckx
Level 2
Level 2

‎06-02-2016 03:06 PM - edited ‎03-08-2019 06:03 AM

Hello,

I have a question about ACL's applied to layer 3 vlans.

Say i have a layer 3 vlan with an ACL applied to it:

Int vlan 200

ip access-group ACL permit in

This ACL would be affecting the traffic going into that vlan, so any statement would have an effect on that. 

When troubleshooting something i noticed that i needed to allow a host from that vlan 200 to have communications with a host in vlan 201, this vlan had no ACL applied to it. Still the communication failed, i noticed that if i add an ACL statement to the ACL applied in vlan 200 that is allowing a host from that vlan to start traffic to a host from another vlan with no ACL. So outbound from vlan 200, i always thought that an access-group would not affect the outbound traffic of that vlan if it was set to in.

So to clarify:

Host A in vlan 200 needed to connect to Host B in vlan 201

Host A: 192.168.200.1 

Host B : 192.168.201.1

In the access list there are statements to allow host b to talk to a because the ACL is inbound on vlan 200, i add a rule to allow tcp communication for port range 41000 to 41006. The communication will not work, it will work if i add another statement in vlan 200 stating that host a is allowed TCP sessions to host B over that tcp port range. The question is: Why would we need to add such an ACL statement if the ACL is only applied inbound.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2016 03:28 PM

It sounds like there may be some confusion about in and out as you apply your access lists. A simple way to remember it is that in and out operate from the perspective of the switch. So an access list applied in on vlan 200 will be for hosts in vlan 200 sending traffic TO the switch. And an access list applied out on vlan 200 will be for traffic sent from the switch to the hosts in vlan 200.

Another way to say it is that for an access list applied to vlan 200 the hosts of vlan 200 will be the source when the ACL is applied in and the hosts of vlan 200 will be the destination when the ACL is applied out.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2016 03:28 PM

It sounds like there may be some confusion about in and out as you apply your access lists. A simple way to remember it is that in and out operate from the perspective of the switch. So an access list applied in on vlan 200 will be for hosts in vlan 200 sending traffic TO the switch. And an access list applied out on vlan 200 will be for traffic sent from the switch to the hosts in vlan 200.

Another way to say it is that for an access list applied to vlan 200 the hosts of vlan 200 will be the source when the ACL is applied in and the hosts of vlan 200 will be the destination when the ACL is applied out.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Yannick Vranckx
Level 2
Level 2
In response to Richard Burts

‎06-03-2016 10:47 PM

Hello Richard,

Thanks for clearing that confusion up. I understand now.

Thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Yannick Vranckx

‎06-04-2016 10:41 AM

I am glad that my explanation was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
kam aujla
Level 1
Level 1
In response to Richard Burts

‎02-16-2018 10:38 AM

Hi Richard, i was struggling with the same issue, in vs. out. Your explanation was extremely helpful in clarifying this. Thanks so much.

0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Richard Burts

‎04-16-2018 06:09 AM

Hello,

 

Consider an example of host A in vlan 200 and host B in vlan 100 and I want to allow http from host A to host B. Is my following ACL setup right?

 

ip access-list extended VLAN-200-IN
permit tcp host A host B eq www
deny ip any any

 

ip access-list extended VLAN-200-OUT
permit tcp host B eq www host A gt 1024
deny ip any any

 

Interface vlan200

ip access-group VLAN-200-IN

ip access-group VLAN-200-OUT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card