Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5406zl ACL seems backwards to me.... Can some explain it to me?

Glen Willms
Frequent Advisor

5406zl ACL seems backwards to me.... Can some explain it to me?

I want to use ACLs to control access to a management VLAN. The subnets that I want to give access to management VLAN are 10.1.25.0/24 and 10.2.25.0/24. I've created an access-list called SysMgmt and applied to the management VLAN (VLAN 1060). On VLAN 1060 I've applied the SysMGMT ACL to inbound traffic.

Here is my working example:

ip access-list extended "SysMgmt"
10 permit ip 0.0.0.0 255.255.255.255 10.1.25.0 0.0.0.255
20 permit ip 0.0.0.0 255.255.255.255 10.2.25.0 0.0.0.255
exit
vlan 1060
name "1060-NetMGMT"
ip helper-address 10.1.20.3
ip address 10.2.60.1 255.255.255.0
tagged A3-A6,Trk1
ip access-group "SysMgmt" in
exit

---

The ACL syntax above seems backwards to me. Isn't it:

10 permit ip

When I specifiy the ACL as:

10 permit ip 10.1.25.0 0.0.0.255 0.0.0.0 255.255.255.255
20 permit ip 10.2.25.0 0.0.0.255 0.0.0.0 255.255.255.255

...it doesn't work.

In my mind, any address in the 10.1.25.0/24 and 10.2.25.0/24 subnets would be the source address. To make the ACL work I have to make them the destination address.

I'm running K.13.03.

Hopefully this makes sense....

Thanks,

Glen.
2 REPLIES
Matt Hobbs
Honored Contributor

Re: 5406zl ACL seems backwards to me.... Can some explain it to me?

With this ACL:

10 permit ip 10.1.25.0 0.0.0.255 0.0.0.0 255.255.255.255
20 permit ip 10.2.25.0 0.0.0.255 0.0.0.0 255.255.255.255

What you actually need to do is apply it outbound on VLAN 1060.

OR

Apply it inbound on the source VLAN's of 10.1.25.0/24 and 10.2.25.0/24.

Try to think of 'in' as coming in physically on that VLAN. 'out' on the other hand is coming from a different VLAN on the switch. Once you have your head around that everything will hopefully make sense.
Matt Hobbs
Honored Contributor

Re: 5406zl ACL seems backwards to me.... Can some explain it to me?

I should clarify that applying it inbound on those other VLANs would be pretty much useless given that the destination address is to any.