Re: ACL Configuration on Router

RS19 · ‎08-08-2020

I have the attached network scenario.

In the scenario, I have 2 networks 10.100.0.0/16 & 10.200.0.0/16 which has access to Internet.

OSPF is used between L3#3 & R1 , L4#4 & R2.

R1 & R2 is configured for source NAT to communicate to Internet.

I want to configure ACL to have the flowing restriction on R1 & R2

Source: 10.100.0.0/16 -> Destination: 8.0.0.0/8, 4.0.0.0/8 (Allow)

Source: 10.100.0.0/16 -> Destination: ANY (Block)

Source:10.200.0.0/16 -> Destination: ANY (Allow)

Let me know how to configure it on R1,R2 gi0/1. The ACL should not affect the OSPF neig & also let me know in which direction the ACL needs to applied.

julian.bendix · ‎08-09-2020

Hi!

There is no attachment added to this post (at least I cannot see one).

Mostly the best option is to configure ACLs closest to the source,
in most cases that would be inbound on the LAN interface.

In that case then:

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
deny ip any any
exit

interface <LAN Interface>
ip access-group <ACL Name> in
end

The "deny ip any any" is actually not needed because it is by default at the end of any ACL..

Hope that helps, let me know what you think.

Best regards
Juls

RS19 · ‎08-09-2020

Sorry please find the attachment.

RS19 · ‎08-09-2020

I have attached the diagram, pls check and let me know the right AC which needs to be configured

RS19 · ‎08-09-2020

I am thinking to use as below.

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
exit

interface <LAN Interface>
ip access-group <ACL Name> in
end

I am not specifying any deny statement. Will there be any implicit deny in the end, if it is not specifically mentioned ?

julian.bendix · ‎08-09-2020

Hey @RS19

You can apply your ACL on Interface Gi 0/1 in inbound direction.

Yes there will be an implicit deny at the end of your ACL :)

Let me know if that helps.

BR
Juls

RS19 · ‎08-10-2020

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
permit ip 10.200.0.0 0.0.255.255 any
exit

If i apply the above command & since there is implicit deny will it affect the OSPF neig between the devices , since Router is running between Router & the L3 switch

RS19 · ‎08-20-2020

Any inputs or help

RS19 · ‎08-20-2020

the L3#3/L3#4 & R1/R2 are running OSPF & they are part of same network 10.100.0.0/16

So if I use the below ACL on R1 & R2 , I feel the OSPF neigh between L3 Switch & the router will fail.

Would like to know how to avoid this ?

ip access-list extended <ACL Name>
permit ip 10.100.0.0 0.0.255.255 8.0.0.0 0.255.255.255
permit ip 10.100.0.0 0.0.255.255 4.0.0.0 0.255.255.255
deny ip 10.100.0.0 0.0.255.255 any
permit ip 10.200.0.0 0.0.255.255 any
exit

interface <LAN Interface>
ip access-group <ACL Name> in
end