ACL AND PORT SECURITY

Ni0n · ‎10-11-2019

2 questions that i couldnt figured out.

1 - while configuring ACL in my network, i could deny some host A to communicate with host B (then i see destination host unreachable)

the problem is when i try to use ping fro host B to host A there is session timed out. how do i fix it?

2- port security in network with VLANS and routers on a sticks, while i configure the port security , i have only ping in the same vlan, but not with other vlans. -

interface X

switchport mode access

switchport port-security

switchport port-security sticky

do w

luis_cordova · ‎10-11-2019

Hi @Ni0n

If your ACL is like this:

deny A B

Applied to the interface connected to A with address "IN"

So:

Ping A to B -> denied on interface when entering - unreachable destination

Ping B to A -> allowed until destination - reply denied when returning on the interface where A is connected - session timed

Ni0n · ‎10-12-2019

hi !! @luis_cordova

thank you for reply !!

i didnt really understand that, since when i am deny host A to host B , it is works, however host B cant ping host A back, and i havent figured it out yet. so please explain again.

about port-security , ping failed between vlans when i turn the port security on for some reason.

luis_cordova · ‎10-13-2019

Hi @Ni0n

Assuming that the ACL is applied on the router interface that connects A with direction "IN"

Ping A to B

The ping that leaves A reaches the router interface.
The router compares the incoming packet with the ACL and denies the ping.
Then, the router sends an ICMP packet to A, indicating that it cannot route the ping.
Therefore, the message shown in A is "destinación unreachable"

Ping B to A

The ping that leaves B arrives at the router interface.
The router passes the ping from the incoming interface to the outgoing interface.
The router does not compare the packet with the ACL, as the packet is leaving the router to A and the ACL is configured to be applied to incoming packets (IN).
Then the ping leaves the router and reaches A.
Device A responds to the ping, but when the reply reaches the router, the router compares the incoming reply with the ACL and the reply is denied.

Device B shows the "request time out" message, as it receives no reply within the default time (1 second).

Regards

luis_cordova · ‎10-11-2019

Hi @Ni0n

About portsecurity, I suggest you attach the settings of all the ports of your switch.

Regards

Edwin Portillo · ‎10-13-2019

Hello Friend,

Typically the ICMP protocol has some packages:
- ICMP Echo (ping)
- ICMP Echo Reply (Ping Reply)

What is common when we are configuring an ACL we deny that a host or an entire network can test connectivity to other devices, which leads us to configure something like this:
access-list 100 deny icmp 172.16.2.0 0.0.0.255 host 168.243.3.14

What happens is that it is implicitly denied taking the echo as echo reply, that is, we cannot ping or ping that network. so you can take into account if you only want to deny that the network can ping other devices you can only deny echo and allow echo replay so that we can test connectivity to that devices.

ip access-list extended incoming
access-list 100 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo-reply

outgoing ip access-list extended
access-list 101 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo

or
access-list 100 permit icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo-reply

access-list 100 deny icmp 172.18.0.0 0.0.255.255 host 168.243.3.14 echo

Regards.