ip access-group name in - does it apply to systems on the same subnet?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by Adam Przestroga on June 9, 2009, 6:52 pm
Please log in for more thread options
Perhaps a dumb question, but I need clarification. I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply to systems which reside within this VLAN and communicate with one another? Or perhaps, this ACL works only when the VLAN systems communicate with systems on another subnet? Thanks, APrzestroga | ||||||||||
|
Posted by Trendkill on June 10, 2009, 5:59 am
Please log in for more thread options You apply an access-list in or out on a vlan or interface. If you apply it 'in' on vlan X, the access-list will only impact traffic it receives from Vlan X to the vlan interface. More importantly to your question, the only time a node on vlan X would send traffic to the vlan interface, is when it is sending traffic to its default gateway to be routed somewhere else. Conversely, applying it 'out' on vlan X, will only impact traffic that the router is putting onto Vlan X from another network. No access-list will impact traffic within a vlan since that will be handled by arps on the local machines/servers and switched...not routed. Access-lists are strictly layer 3, unless you start looking at vacls and other layer 2 related options. | ||||||||||
|
Posted by Adam Przestroga on June 10, 2009, 6:43 pm
Please log in for more thread options Trendkill wrote:
> You apply an access-list in or out on a vlan or interface. If you
> apply it 'in' on vlan X, the access-list will only impact traffic it > receives from Vlan X to the vlan interface. More importantly to your > question, the only time a node on vlan X would send traffic to the > vlan interface, is when it is sending traffic to its default gateway > to be routed somewhere else. Conversely, applying it 'out' on vlan X, > will only impact traffic that the router is putting onto Vlan X from > another network. No access-list will impact traffic within a vlan > since that will be handled by arps on the local machines/servers and > switched...not routed. Access-lists are strictly layer 3, unless you > start looking at vacls and other layer 2 related options. Thank you for the clarification. I have applied L2 ACL (access-map) and it seems to do the job. BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit misleading... Regards, APrzestroga | ||||||||||
|
Posted by Trendkill on June 10, 2009, 7:14 pm
Please log in for more thread options > Trendkill wrote:
> > You apply an access-list in or out on a vlan or interface. =A0If you
,
> > apply it 'in' on vlan X, the access-list will only impact traffic it > > receives from Vlan X to the vlan interface. =A0More importantly to your > > question, the only time a node on vlan X would send traffic to the > > vlan interface, is when it is sending traffic to its default gateway > > to be routed somewhere else. =A0Conversely, applying it 'out' on vlan X= > > will only impact traffic that the router is putting onto Vlan X from
> > another network. =A0No access-list will impact traffic within a vlan > > since that will be handled by arps on the local machines/servers and > > switched...not routed. =A0Access-lists are strictly layer 3, unless you > > start looking at vacls and other layer 2 related options. >
> Thank you for the clarification. I have applied L2 ACL (access-map) and > it seems to do the job. > > BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit > misleading... > > Regards, > APrzestroga Yes, the terminology has always carried some confusion. Best way to think of it is as a router on a stick. Picture the router as having one interface to a switch where all the nodes on the vlan are. If the router puts packets out onto the vlan (i.e. destined to a server/node on that network from another network), then that matches 'out' access lists. If the router receives a packet in on that vlan interface (i.e. destined to another network from one of the servers/nodes) then it matches 'in' access lists. Then just scale that up to many switched virtual interfaces (SVIs) or vlans on a 6500 series router/ msfc....works the same way with just more interfaces...and some happen to be logical instead of physical. | ||||||||||
| Similar Threads | Posted |
| ip access-group name in - does it apply to systems on the same subnet? | June 9, 2009, 6:52 pm |
| Add a private subnet to existing real class C subnet | January 11, 2007, 2:58 pm |
| cannot ping from subnet A to subnet B for a specific host | August 3, 2006, 1:58 pm |
| Cannot apply ACL to fa0/5 | January 9, 2008, 12:07 pm |
| Cisco 1812 subnet to subnet NAT | September 3, 2007, 5:42 am |
| How to apply ACL to a management port (CSS) | January 4, 2006, 11:44 pm |
| How to apply several ACLs on the same interface - PIX. | June 22, 2005, 8:35 am |
| macro apply ... $AVID | October 24, 2006, 2:07 pm |
| Does the cascading rule apply to switches? | March 27, 2006, 10:07 am |
| Is there a "dry run" mode for access lists before apply | May 22, 2008, 6:47 am |
| Comparing Systems | September 20, 2006, 11:08 am |
| Comparing Systems | September 20, 2006, 11:08 am |
| Comparing Systems | September 20, 2006, 11:47 am |
| Systems can be 1-3 kms apart; 1 or multiple LANs? | April 2, 2007, 7:17 am |
| hide uptime of systems in DMZ | May 14, 2007, 8:10 am |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> Perhaps a dumb question, but I need clarification.
>
> I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
> to systems which reside within this VLAN and communicate with one
> another? Or perhaps, this ACL works only when the VLAN systems
> communicate with systems on another subnet?
>
> Thanks,
> APrzestroga