Understanding Access-Lists, VLANs, and Traffic Flow

aclciscocisco-ios-12cisco-ios-15vlan

I have a question that I am having a very hard time wrapping my mind around, and I think you might be able to square me away.

When applying an access list to a VLAN interface (VLAN 32) in a L3 switch, for clients that are in VLAN 32 subnet, are they seen as coming into VLAN 32 on the way to being routed, or is the traffic coming out (exiting) the VLAN 32 interface? What about traffic coming from another VLAN?

I am trying to sort this out for the purpose of deciding on applying an access list to "in" or "out" traffic against the VLAN 32 interface.

Best Answer

This is often a confusing topic for users new to SVIs as it does seem to work a bit counter intuitively. Most people have a tendency to look at the SVI as some sort of "gateway" and that traffic leaving the VLAN should be outbound and vice versa.

However, it actually works in the opposite way because the SVI is a virtual router interface. It can help to think of the SVI as a physical interface on a physical router connected to the VLAN. From the perspective of this router, traffic arriving on the interface (the SVI) from the VLAN is inbound. Traffic from the rest of the network to the VLAN would be going out (or outbound) from the perspective of this interface.

As an example, take for instance the following SVI:

interface Vlan10
 ip address 10.1.1.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip access-group VLAN10_OUT out

Now, let's say I want to prevent any traffic with spoofed IP addresses from leaving this VLAN. My access list may look like the below. Notice that while this traffic is outbound from the VLAN, it is inbound to the interface and as such is an inbound ACL.

Sw6500#sh ip access-lists VLAN10_IN
Extended IP access list VLAN10_IN
    10 permit ip 10.1.1.0 0.0.0.255 any
    20 deny ip any any

If I want to limit access to this VLAN so that devices with 192.168.1.0/24 addresses are blocked but all other 192.168.0.0/16 addresses are allowed, the ACL would look something like this:

Sw6500#sh ip access-lists VLAN10_OUT
Extended IP access list VLAN10_OUT
    10 deny ip 192.168.1.0 0.0.0.255 any
    20 permit ip 192.168.0.0 0.0.255.255 any
    30 deny ip any any

Please Note: These are not a complete working access lists; they are meant only as examples. While they may work in certain environments, it may create problems if you try to use it. For instance, it will not allow traffic such as DHCP if the DHCP server is on a different VLAN.

One parting note, that may seem obvious but I have seen trip people up before. If the SVI has multiple subnets associated with it, you need to make sure your ACLs take this into account as traffic that passes between these subnets will be processed by the ACL even though it stays within the VLAN.

As long as you keep the concept that the SVI is an interface, this should be easy to accomplish.

Related Solutions

Vlan – Handling VLAN based MPLS circuits with site specific internet access

Depending on how the service is delivered by the SP will dictate how you can separate the services on your end.

Typical methods are either a port per service or a VLAN tag per service.

If the SP is tagging the traffic you can just set up your switch to trunk to the SP and then separate the traffic into two access ports (one to FW and one to LAN).

If it's a port per service then just create two VLANs with the services in different VLANs for isolation.

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Best Answer

Related Solutions

Vlan – Handling VLAN based MPLS circuits with site specific internet access

HP Procurve 5406zl – ACL issue

Related Topic