Layer 3 Access Control lists.

This is another one of those posts that is mainly for me but hopefully some of you might get some millage out of it also.

When using L3 Access Lists on Routers or L3 Switches to manage traffic this is the best way to look at things; View your Physical Interface or your VLAN Interface as its own little firewall (inside/outside). Do not however confuse the L3 access-lists at Stateful they are not! If you have both inbound and outbound ACL’s defined you will have to make changes to both sides to allow new traffic through!! Back to the INSIDE/OUTSIDE idea though.

If I have VLAN 200 with a host range of 10.1.200.0 /24 and a gateway of 10.1.200.1

And I have a VLAN 10 with a host range of 10.1.10.0 /24 and a gateway of 10.1.10.1

And I would like to allow all hosts in VLAN 10 to talk to all hosts in VLAN 200 while denying all other traffic to VLAN 200 I would do the following;

access-list 100 permit IP 10.1.10.0 0.0.0.255 10.1.200.0 0.0.0.255

I would then apply this to the OUTSIDE (out) of VLAN 200 by doing the following;

(A the Interface config prompt) ip access-group 100 out

If you were to look at this logically it would appear something like this;

10.1.200.0 /24 (INSIDE) VLAN200 (OUTSIDE) [ACL] All other networks including 10.1.10.0 /24

An interesting point to note that when testing ACL’s you should not use the Gateway address of the VLAN that you are trying to protect if you have applied the ACL to that VLAN Interface. If you do it will appear that you ACL is not working because you will get responces form that address. However once you pass the gateway and try to ping a host on the other side you will see that you ACL is working properly.

Another point to make is that if you apply ACL’s to the inside of a VLAN there is a good chance that you could disrupt Inter-VLAN communications. Here is an example of this idea if you wish to prevent VLAN 200 Addresses from talking to the rest of the network.
access-list 101 deny ip 10.1.200.0 0.0.0.255 any

(VLAN 200 Interface) ip access-list 101 in

Visually this will look like

10.1.200.0 /24 [ACL] (INSIDE) VLAN 200 (OUTSIDE) All other networks

In this case logic states that 10.1.200.0 /24 hosts should be able to talk Inter-VLAN simply by ARP’ing accress the switch. This however is not always the case considering hosts on a VLAN may be physically on other hardware in your infrastructure. When this happens traffic goes to its L3 gateway at which point you have stated no VLAN 200 host can talk to another host if it must pass through the VLAN 200 Gateway.

I hope this helps me next time I am under pressure or it’s 3am and we are just getting to the ACL builds. Hopefully it does the same for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.