topic Re: Access-List help required in Network Security

Access-List help required

jsnow0445 — Thu, 25 Feb 2021 02:06:35 GMT

Hi I need some help in creating that ACL on Cisco multilayer switch.

1) I want to allow all traffic between these subnets

10.75.0.0/22 ------ 10.0.0.0/8

2)) I want to allow only http traffic and block the remaining traffic between the following subnets .

10.157.0.0 /15 --- 10.0.0.0/8
10.165.0.0 /16 ---- 10.0.0.0/8

3) I want to block all traffic between these subnets

10.157.0.0/15 ---- 10.185.0.0/16

Please find my below mentioned config . My question is
do i need to mention "permit ip any any" at the end of that access-list ?

Ip access-list extended test1

permit ip 10.75.0.0 0.0.3.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 10.75.0.0 0.0.3.255

permit tcp 10.157.0.0 0.1.255.255 10.0.0.0 0.255.255.255 eq 80
permit tcp 10.0.0.0 0.255.255.255 10.157.0.0 0.1.255.255 eq 80
permit tcp 10.165.0.0 0.0.255.255 10.0.0.0 0.255.255.255 eq 80
permit tcp 10.0.0.0 0.255.255.255 10.165.0.0 0.0.255.255 eq 80

deny ip 10.157.0.0 0.1.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 10.157.0.0 0.1.255.255
deny ip 10.165.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 10.165.0.0 0.0.255.255

deny ip 10.157.0.0 0.1.255.255 10.185.0.0 0.15.255.255
deny ip 10.185.0.0 0.15.255.255 10.157.0.0 0.1.255.255

permit ip any any

---

interface vlan 2
ip access-group test1 in

-------

Re: Access-List help required

Francesco Molino — Thu, 25 Feb 2021 04:20:08 GMT

Can you give more details on how your architecture is? What are your actual SVIs? Where you want to apply these ACLs?

The config you shared has bi-directional ACE in each ACL and then you’re applying it SVI vlan 2. What is this SVI?

Also for the ACL to allow http traffic, is the subnet 10.157 or 10.165 the one having http servers or are these vlans the source of traffic and 10.0.0.0/8 the destination?

Re: Access-List help required

jsnow0445 — Thu, 25 Feb 2021 14:41:24 GMT

Thanks for the reply . Actually The communication between these subnets is happened only in this SVI ( interface vlan 2) so thats why i want to apply ACL on this interface.

10.75.0.0/22 (source )------ 10.0.0.0/8 (destination)

2)) I want to allow only http traffic and block the remaining traffic between the following subnets .

10.157.0.0 /15 (source ) --- 10.0.0.0/8 (destination)
10.165.0.0 /16 ( source) ---- 10.0.0.0/8 (destination)

3) I want to block all traffic between these subnets

10.157.0.0/15 (source)---- 10.185.0.0/16 (destination)

Last time when I applied this ACL it did not work (i did not add "permit ip any any " at the end of it during that time ) so thats why i was wandering if i need to add "permit ip any any " at the end in my ACL to make it work this time ?

Thanks

Re: Access-List help required

Jon Marshall — Thu, 25 Feb 2021 21:36:15 GMT

As mentioned if the acl is applied inbound you don't need lines for both directions.

What is the IP address assigned to vlan 2 ?

Is there any other traffic other than what you have mentioned that you want to allow because if there is then yes you would need the "permit ip any any" at the end.

Jon

Re: Access-List help required

jsnow0445 — Fri, 26 Feb 2021 17:32:56 GMT

sorry it needs to be in both directions. It is working now with permit ip any any . Thanks everyone for looking into this .