«

Hi all,

Perhaps a dumb question, but I need clarification.

I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
to systems which reside within this VLAN and communicate with one
another? Or perhaps, this ACL works only when the VLAN systems
communicate with systems on another subnet?

Thanks,
APrzestroga

On Jun 9, 6:52*pm, Adam Przestroga <aprzestr...@op.pl> wrote:
> Hi all,
>
> Perhaps a dumb question, but I need clarification.
>
> I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
> to systems which reside within this VLAN and communicate with one
> another? Or perhaps, this ACL works only when the VLAN systems
> communicate with systems on another subnet?
>
> Thanks,
> APrzestroga

You apply an access-list in or out on a vlan or interface. If you
apply it 'in' on vlan X, the access-list will only impact traffic it
receives from Vlan X to the vlan interface. More importantly to your
question, the only time a node on vlan X would send traffic to the
vlan interface, is when it is sending traffic to its default gateway
to be routed somewhere else. Conversely, applying it 'out' on vlan X,
will only impact traffic that the router is putting onto Vlan X from
another network. No access-list will impact traffic within a vlan
since that will be handled by arps on the local machines/servers and
switched...not routed. Access-lists are strictly layer 3, unless you
start looking at vacls and other layer 2 related options.

Trendkill wrote:
> You apply an access-list in or out on a vlan or interface. If you
> apply it 'in' on vlan X, the access-list will only impact traffic it
> receives from Vlan X to the vlan interface. More importantly to your
> question, the only time a node on vlan X would send traffic to the
> vlan interface, is when it is sending traffic to its default gateway
> to be routed somewhere else. Conversely, applying it 'out' on vlan X,
> will only impact traffic that the router is putting onto Vlan X from
> another network. No access-list will impact traffic within a vlan
> since that will be handled by arps on the local machines/servers and
> switched...not routed. Access-lists are strictly layer 3, unless you
> start looking at vacls and other layer 2 related options.

Thank you for the clarification. I have applied L2 ACL (access-map) and
it seems to do the job.

BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit
misleading...

Regards,
APrzestroga

On Jun 10, 6:43*pm, Adam Przestroga <aprzestr...@op.pl> wrote:
> Trendkill wrote:
> > You apply an access-list in or out on a vlan or interface. *If you
> > apply it 'in' on vlan X, the access-list will only impact traffic it
> > receives from Vlan X to the vlan interface. *More importantly to your
> > question, the only time a node on vlan X would send traffic to the
> > vlan interface, is when it is sending traffic to its default gateway
> > to be routed somewhere else. *Conversely, applying it 'out' on vlan X,
> > will only impact traffic that the router is putting onto Vlan X from
> > another network. *No access-list will impact traffic within a vlan
> > since that will be handled by arps on the local machines/servers and
> > switched...not routed. *Access-lists are strictly layer 3, unless you
> > start looking at vacls and other layer 2 related options.
>
> Thank you for the clarification. I have applied L2 ACL (access-map) and
> it seems to do the job.
>
> BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit
> misleading...
>
> Regards,
> APrzestroga

Yes, the terminology has always carried some confusion. Best way to
think of it is as a router on a stick. Picture the router as having
one interface to a switch where all the nodes on the vlan are. If the
router puts packets out onto the vlan (i.e. destined to a server/node
on that network from another network), then that matches 'out' access
lists. If the router receives a packet in on that vlan interface
(i.e. destined to another network from one of the servers/nodes) then
it matches 'in' access lists. Then just scale that up to many
switched virtual interfaces (SVIs) or vlans on a 6500 series router/
msfc....works the same way with just more interfaces...and some happen
to be logical instead of physical.