ACL quick question

Dear Experts,

 

I have one quick question, let say I created two extended access-list on a switch and apply one in the VLAN SVI interface and another one apply at the host interface end, which access-list will it take effect?

 

Example:-

 

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

end

 

interface FastEthernet0/10

switchport mode access

switchport access vlan 10

ip access-group 101 in

spanning-tree portfast

spanning-tree bpduguard enable

end

 

So which access-list will port Fa0/10 follow and take effect? access-list 100 or access-list 101? or BOTH ?

 

Thanks in advance,

 

Vaib...

 

Comments

  • Access-list 100 will only be active for inter VLAN traffic. I'm not sure about 101 though, if it is on the port it should catch everything.

    My guess is that port ACL should be used first, easiest way of trying would be to deny something in 101 and then permit it in 100. If it is blocked then you will know the order of operation.

  • I found this in Cat3560 documentation.

    imageIf you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.

    So the port ACL will take precedence. To test this out create ACL for port that allows something like ICMP and then deny it on the VLAN interface, traffic should still be able to pass according to this.

  • I have one quick question, let say I created two extended access-list on a switch and apply one in the VLAN SVI interface and another one apply at the host interface end, which access-list will it take effect?

    Can you be little more clear in your question. In mean if you are saying " which access-list will it take effect" but in what case ?

    So which access-list will port Fa0/10 follow and take effect? access-list 100 or access-list 101? or BOTH ?

    Since you have an access-list applied on f0/10 this (access-list 101) will take effect in all the cases whether traffic (arriving on f0/10) goiing towards vlan 10 interface or any other destination. However if this traffic(arriving on f0/10) is going towards vlan 10 interface, then in that case access-list applied to vlan 10 interface will also take effect but if that traffic is going towrds any other destination then access-list applied on vlan interface will never come in to picture.

  • Hi Daniel

    This looked an interesting question at first, but is there any reason that makes these access-list applied on vlan interface and layer 2 interface comparable ? 

    Traffic arrived on layer 2 port that has inbound access-list will always take effect and it has nothing to do with access-list applied on vlan interface. This traffic if going towards the vlan interface that has access-list then this access-list will also take effect otherwise not. 

    Is that right or am i missing something ?

  • Well I also would say that the Port-ACL is for Intra-VLAN (locally on the switch) traffic and the SVI-ACL is for Inter-VLAN traffic. The SVI is no VACL so its only used for packets destined outside the L3 subnet.

     

    Regards!

  • Yes, intra VLAN traffic will never hit the SVI. Need VACL or PACL for that. The interesting part is if inter VLAN traffic is subject to both ACL's?

    Unfortunately I have no real switches to try on but it is very interesting scenario.

  • Yep thats right the question here....well looking to my left....there is a 3550 :D....will check that in a few minutes :).

    Regards!

     

  • Very interesting question!

    For inter-VLAN traffic, My understanding is that the first ACL that will be matched is the port ACL and then it will be matched on the VLAN ACL, so the two ACLs will be sort of "combined", if the port ACL allows and the VLAN ACL denies, than you are denied. If the port ACL denies, then the VLAN ACL will not be even consulted.

    For intra-VLAN traffic only the port ACL is to be matched.

    Looking forward for Markus' test results

    Just my 2 cents.

  • Alright. Tested it out.

    I configured 2 ACLs 



    Extended IP access list ACL-PORT
    10 deny ip any any log
    Extended IP access list ACL-SVI
    10 deny ip any any log



    BOth do the same and I wanna look into which ACL is logging traffic.


    When I install the ACL-PORT on the Gi1/0/1 Interface INBOUND it blocks the traffic to anywhere (intra or inter-vlan) but it does not log anything.

    When I install die ACP-SVI on the VLan1 Interface INBOUND it blocks all traffic that is destined for other IP subnets.

    When I install both ACLs and let the ACL-PORT permit everything (so that the packets match the ACL and run through it) and the ACL-SVI deny everything then only inter-vlan traffic is blocked. So it seems that the both ACLs are serially connected in order of operation.

    Switch#sh access-list
    Extended IP access list ACL-PORT
    5 permit ip any any (9 matches)
    10 deny ip any any log
    Extended IP access list ACL-SVI
    10 deny ip any any log (15 matches)



    Regards!

    Markus

     

  • Awesome so you got all the expected results..

    When I install the ACL-PORT on the Gi1/0/1 Interface INBOUND it blocks the traffic to anywhere (intra or inter-vlan) but it does not log anything.

    Logging in this case can be due to some hardware limitation.

  • Markus,

    Thanks for sharing the results. Glad to see that the results are the same as we expected/predicted.

    Regards!

  • When I install both ACLs and let the ACL-PORT permit everything (so that the packets match the ACL and run through it) and the ACL-SVI deny everything then only inter-vlan traffic is blocked. So it seems that the both ACLs are serially connected in order of operation.

    Thanks for the nice testing Markus!!

  • Thanks Markus and to all , i appreciate very well and try to do with your suggetion.

     

    Thanks once again to all.

     

Sign In or Register to comment.