ip access-group name in - does it apply to systems on the same subnet?

Discussion in 'Cisco' started by Adam Przestroga, Jun 9, 2009.

  1. Hi all,

    Perhaps a dumb question, but I need clarification.

    I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
    to systems which reside within this VLAN and communicate with one
    another? Or perhaps, this ACL works only when the VLAN systems
    communicate with systems on another subnet?

    Thanks,
    APrzestroga
    Adam Przestroga, Jun 9, 2009
    #1
    1. Advertising

  2. Adam Przestroga

    Trendkill Guest

    Re: ip access-group name in - does it apply to systems on the samesubnet?

    On Jun 9, 6:52 pm, Adam Przestroga <> wrote:
    > Hi all,
    >
    > Perhaps a dumb question, but I need clarification.
    >
    > I have an ACL defined on a Catalyst 3560 VLAN interface. Does it apply
    > to systems which reside within this VLAN and communicate with one
    > another? Or perhaps, this ACL works only when the VLAN systems
    > communicate with systems on another subnet?
    >
    > Thanks,
    > APrzestroga


    You apply an access-list in or out on a vlan or interface. If you
    apply it 'in' on vlan X, the access-list will only impact traffic it
    receives from Vlan X to the vlan interface. More importantly to your
    question, the only time a node on vlan X would send traffic to the
    vlan interface, is when it is sending traffic to its default gateway
    to be routed somewhere else. Conversely, applying it 'out' on vlan X,
    will only impact traffic that the router is putting onto Vlan X from
    another network. No access-list will impact traffic within a vlan
    since that will be handled by arps on the local machines/servers and
    switched...not routed. Access-lists are strictly layer 3, unless you
    start looking at vacls and other layer 2 related options.
    Trendkill, Jun 10, 2009
    #2
    1. Advertising

  3. Re: ip access-group name in - does it apply to systems on the samesubnet?

    Trendkill wrote:
    > You apply an access-list in or out on a vlan or interface. If you
    > apply it 'in' on vlan X, the access-list will only impact traffic it
    > receives from Vlan X to the vlan interface. More importantly to your
    > question, the only time a node on vlan X would send traffic to the
    > vlan interface, is when it is sending traffic to its default gateway
    > to be routed somewhere else. Conversely, applying it 'out' on vlan X,
    > will only impact traffic that the router is putting onto Vlan X from
    > another network. No access-list will impact traffic within a vlan
    > since that will be handled by arps on the local machines/servers and
    > switched...not routed. Access-lists are strictly layer 3, unless you
    > start looking at vacls and other layer 2 related options.


    Thank you for the clarification. I have applied L2 ACL (access-map) and
    it seems to do the job.

    BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit
    misleading...

    Regards,
    APrzestroga
    Adam Przestroga, Jun 10, 2009
    #3
  4. Adam Przestroga

    Trendkill Guest

    Re: ip access-group name in - does it apply to systems on the samesubnet?

    On Jun 10, 6:43 pm, Adam Przestroga <> wrote:
    > Trendkill wrote:
    > > You apply an access-list in or out on a vlan or interface.  If you
    > > apply it 'in' on vlan X, the access-list will only impact traffic it
    > > receives from Vlan X to the vlan interface.  More importantly to your
    > > question, the only time a node on vlan X would send traffic to the
    > > vlan interface, is when it is sending traffic to its default gateway
    > > to be routed somewhere else.  Conversely, applying it 'out' on vlan X,
    > > will only impact traffic that the router is putting onto Vlan X from
    > > another network.  No access-list will impact traffic within a vlan
    > > since that will be handled by arps on the local machines/servers and
    > > switched...not routed.  Access-lists are strictly layer 3, unless you
    > > start looking at vacls and other layer 2 related options.

    >
    > Thank you for the clarification. I have applied L2 ACL (access-map) and
    > it seems to do the job.
    >
    > BTW. The "out" ACL applied on the gateway interface of VLAN X is a bit
    > misleading...
    >
    > Regards,
    > APrzestroga


    Yes, the terminology has always carried some confusion. Best way to
    think of it is as a router on a stick. Picture the router as having
    one interface to a switch where all the nodes on the vlan are. If the
    router puts packets out onto the vlan (i.e. destined to a server/node
    on that network from another network), then that matches 'out' access
    lists. If the router receives a packet in on that vlan interface
    (i.e. destined to another network from one of the servers/nodes) then
    it matches 'in' access lists. Then just scale that up to many
    switched virtual interfaces (SVIs) or vlans on a 6500 series router/
    msfc....works the same way with just more interfaces...and some happen
    to be logical instead of physical.
    Trendkill, Jun 11, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. This Old Man
    Replies:
    4
    Views:
    660
    This Old Man
    Oct 20, 2003
  2. Vass

    Subnet a subnet mask?

    Vass, Aug 26, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    710
  3. Replies:
    9
    Views:
    1,131
  4. Replies:
    16
    Views:
    4,710
  5. Replies:
    5
    Views:
    1,065
    Walter Roberson
    Jan 18, 2007
Loading...

Share This Page