Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1654
Views
5
Helpful
6
Replies

Some questions about ACLs

Go to solution
MH311x
Level 1
Level 1

‎10-04-2021 11:58 PM

Hi community,

 

I am facing some problems understanding some aspects of ACLs.

 

Question 1

Our infrastructure is routed via SVIs on a layer 3 switch. I have already configured an ACL to prevent users from using telnet & ssh.

 

Extended IP access list DENY_TELNET_SSH
10 deny tcp any any eq telnet (5 matches)
20 deny tcp any any eq 22 (81 matches)
30 permit ip any any (2158 matches)

==> This ACL is applied INBOUND to the user VLANs.

Okay ... so that's clear for me. The packets are coming INBOUND to the SVI and are dropped.

 

Now I wrote an ACL to permit the users from accessing the web interfaces in the server-vlan:

 

ip access-list extended DENY_WEB_SRV

permit tcp any gt 1023 host 10.192.162.123 eq 8080
permit tcp any gt 1023 host 10.192.162.123 eq 8081

deny tcp any any eq 80 log
deny tcp any any eq 443 log
deny tcp any any eq 2000 log
deny tcp any any eq 7261 log
deny tcp any any eq 7273 log
deny tcp any any eq 8050 log
deny tcp any any eq 8070 log
deny tcp any any eq 8080 log
deny tcp any any eq 8443 log
deny tcp any any eq 8787 log
deny tcp any any eq 8834 log
permit ip any any

 

... but this ACL is only working the way it is used to, when I configure it OUTBOUND in the server vlan. But why? I dont get it ...

The traffic should be blocked when "entering the vlan", so why its outbound and not inbound?

 

Question 2

When configuring an ACL ... do I have to allow the traffic bidirectional? Because sometimes it seems to work, even without allowing the traffic bidirectional. Example:

 

I want to write an ACL that permits a VLAN only to communicate to specific servers

 

ip access-list extended TEST
remark ### 1 DHCP-Requests
permit udp any eq bootpc any eq bootps
remark ### 2 Communication to server.
permit ip 10.192.63.128 0.0.0.63 host 10.192.162.50
permit ip 10.192.63.128 0.0.0.63 host 10.192.56.50
permit ip 10.192.63.128 0.0.0.63 host 10.192.162.52
permit ip 10.192.63.128 0.0.0.63 host 10.192.162.53
remark ### Communication back  =====> Is this necessary? Or is there another way to permit the traffic bidirectional?
permit ip host 10.192.162.50 10.192.63.128 0.0.0.63
permit ip host 10.192.56.50 10.192.63.128 0.0.0.63
permit ip host 10.192.162.52 10.192.63.128 0.0.0.63
permit ip host 10.192.162.53 10.192.63.128 0.0.0.63

deny ip any any log

 

 

Thanks in advance!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎10-05-2021 10:53 PM

The original post asks 2 questions. 

Question 1 is about ACL being applied inbound or outbound. A complete explanation of the aspects of this might get somewhat complex. But the simple explanation is that the ACL specified certain source addresses and certain destination addresses. If the source addresses are local and the destination addresses are remote then the ACL needs to be applied inbound. And if the source addresses are remote and the destination addresses are local then the ACL needs to be applied outbound.

Question 2 is about whether an ACL needs to specifically permit bidirectional traffic. The answer to this that in most circumstances an ACL is applied in one direction and it only needs to specify traffic in that direction. In this example it permits traffic from local hosts to remote servers and this ACL would be applied inbound. If there is no ACL applied outbound on this interface then the response traffic is permitted. If there is another ACL applied outbound on this interface then this is the ACL that must permit responses from the servers.

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
Rickey526
Level 1
Level 1

‎10-05-2021 12:04 AM

Did you have a fix on this issue? Facing the same issue but no response from anyone and couldn't find this topic troubleshooting in google.

0 Helpful

Go to solution
MH311x
Level 1
Level 1
In response to Rickey526

‎10-05-2021 12:24 AM

@Rickey526 

Which issue do you mean exactly?

 

The ACLs are working the way they should be ... I am just having a hard time understanding the reason for placing the ACL outbound in the server-vlan.

 

 

0 Helpful

Go to solution
Kasun Bandara
VIP
VIP

‎10-05-2021 01:02 AM

Hi,

 

for your 1st issue, i will do some test in demo lab.

for your 2nd issue, you can use one from below methods.

 

1. ACLs are stateless. so you need to configure bidirectional ALCs

2. you can use 'established' keyword for TCP traffic, which will allow return traffic have ACK,RST flags set

3. you can use reflexive ACLs

 

 

Rate this if you solved your concern

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-05-2021 08:43 AM

"The traffic should be blocked when "entering the vlan", so why its outbound and not inbound?"

I haven't "studied" what you've done, in detail, but in general, entering, or ingress, with a SVI is from VLAN devices/hosts side.  Entering a VLAN from "outside" the VLAN is egress on the SVI.  Possibly a simple way to think of this, consider a single host connected to a VLAN access port.  SVI ingress is same as ingress on that port and conversely SVI egress is the same as egress on that port.

"When configuring an ACL ... do I have to allow the traffic bidirectional?"

Depends on your goals and "nature" of the traffic.  Realize many applications expect/require bidirectional communication.  Block one direction and you effectively "break" those applications from communicating.  Not all applications, though, require bidirectional communication.  To deal with the latter, and to insure nothing was "missed" with the former, often you block both directions.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎10-05-2021 10:53 PM

The original post asks 2 questions. 

Question 1 is about ACL being applied inbound or outbound. A complete explanation of the aspects of this might get somewhat complex. But the simple explanation is that the ACL specified certain source addresses and certain destination addresses. If the source addresses are local and the destination addresses are remote then the ACL needs to be applied inbound. And if the source addresses are remote and the destination addresses are local then the ACL needs to be applied outbound.

Question 2 is about whether an ACL needs to specifically permit bidirectional traffic. The answer to this that in most circumstances an ACL is applied in one direction and it only needs to specify traffic in that direction. In this example it permits traffic from local hosts to remote servers and this ACL would be applied inbound. If there is no ACL applied outbound on this interface then the response traffic is permitted. If there is another ACL applied outbound on this interface then this is the ACL that must permit responses from the servers.

HTH

Rick

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-06-2021 08:13 AM

I am glad that my explanation has been helpful.  Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents