Solved: Re: Extended ACL Block Traffic to One Server

NerfHerder · ‎05-12-2022

Hi All,

I'm trying to create an extended ACL with the following criteria (see attached image):

1. Allow traffic to 10.10.2.9 on port 1570

2. Block all other ports to 10.10.2.9

3. Allow all other traffic, from all VLANs, to server VLAN

I have a working ACL, but it seems very inefficient. I'm hoping someone can help me write a better ACL that doesn't waste cycles. Here's what I have so far:

ip access-list extended secure_server
permit tcp any host 10.10.2.9 eq 1570
deny ip any host 10.10.2.9
permit ip any any

interface GigabitEthernet0/0.2

ip access-group secure_server out

Thanks.

Jon Marshall · ‎05-13-2022

It was said more in jest than anything.

I would expect that line to have the most matches and it is the only way to allow all other traffic as any acl has an implicit deny all at the end so you have to have that line.

As for it not being best practice you will see a lot of acls like this simply because of the logic ie. deny certain things and then allow everything else.

There really isn't anything better and honestly three lines in acl is not going to add any noticeable overhead to your device.

Jon

View solution in original post

MHM Cisco World · ‎05-12-2022

deny ip any host 10.10.2.9 <- you want to deny other port? which port TCP or UDP ? if TCP or UDP please include it in your deny statement and check it again.

Georg Pauwen · ‎05-12-2022

Hello,

ip access-list extended secure_server
permit tcp any host 10.10.2.9 eq 1570
deny ip any host 10.10.2.9
permit ip any any

To be honest, I don't see how you can shorten this access list. Looks like you are using the minimum number of lines required.

Jon Marshall · ‎05-12-2022

I have no idea why you think it is inefficient or wasting cycles.

Your acl is fine and is as succint as it needs to be.

Jon

NerfHerder · ‎05-13-2022

Thanks for the replies and no, I'm not a troll.

As you can see below, it's been less then 24 hours, and line 30 is getting the most matches. I know that using a "permit ip any any" statement is not consider best practice, and thought there might be a better way. PACL or MACL on the switch? A not-equal statement?

Thanks again.

10 permit tcp any host 10.10.2.9 eq 1570 (1638 matches)
20 deny ip any host 10.10.2.9 (17 matches)
30 permit ip any any (14863789 matches)

MHM Cisco World · ‎05-13-2022

you don't answer block port ? or block IP packet toward Server?

NerfHerder · ‎05-13-2022

I only want to allow TCP port 1570 to server 10.10.2.9; block everything else. The server is an old server that has many security flaws and is not under my administrative control. All other servers on 10.10.2.0/24 are administered by me and patched (I hope).

MHM Cisco World · ‎05-13-2022

You config is right and can not config other like PACL
PACL because PACL is apply only to traffic from Server/Client connect to port, it not filter traffic go out from port to Server/Client.
the only solution is Router ACL which what you config in sub interface
you want to enhancement the Router ACL your config is prefer no need any change.
and for permit any any high hit number I know it consume the Router resource but without it the traffic will drop for other server since are in same subnet.

NerfHerder · ‎05-13-2022

Thanks MHM.

Jon Marshall · ‎05-13-2022

It was said more in jest than anything.

I would expect that line to have the most matches and it is the only way to allow all other traffic as any acl has an implicit deny all at the end so you have to have that line.

As for it not being best practice you will see a lot of acls like this simply because of the logic ie. deny certain things and then allow everything else.

There really isn't anything better and honestly three lines in acl is not going to add any noticeable overhead to your device.

Jon

NerfHerder · ‎05-13-2022

Thanks Jon.