cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
388
Views
20
Helpful
7
Replies
Highlighted
Participant

Very Basic Access list direction to apply?

I have some vlans as such:

guest vlan = 172.17.1.0/24 router int g0/0.172  ip addr 172.17.1.1
corp vlan = 10.1.0.0/24 router int g0/0.10 ip addr 10.1.0.1

 

I've added an access-list to the guest sub interface IN as such:

deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip any any

 

It seems to work. From the guest vlan, I can't reach any private subnet. I can't even ping the sub interface. Great!

I can get to the internet.

I have 3 basic questions:

1. Are access-lists only concerned with the final destination and not what is in between? ie I can't ping the router (172.17.1.1) from 172.17.1.0/24 but I can still reach the internet. So in the above access list, traffic going to 8.8.8.8 will fall into the permit rule (regardless that traffic from that subnet 172.17.1.0/24 must travel through 172.17.1.1 to get to 8.8.8.8)

2. Why does this work when I apply the direction IN? Is it because I'm effectively saying  for example "deny traffic coming from client 172.17.1.10 coming INTO the sub interface and GOING to xxx.xxx.xxx.xxx

So in the above example:

client 172.17.1.10 going to 172,17.1.1 = deny
client 172.17.1.10 going to 8.8.8.8 = permit (and it doesn't matter what IP it travels through on the way?)

3. When would you apply in the OUT direction?

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Collaborator

Re: Very Basic Access list direction to apply?

In your case it is two interfaces, so locking down one with an in and out ACL should be sufficient. However, there is nothing wrong with applying the same to both interfaces either. It stops the traffic from either source and I wouldn't consider it overkill.

As far as #3 is concerned, applying just in or out to an interface is probably not recommended as it allows the unwanted traffic in one direction which you wouldn't want.

7 REPLIES 7
VIP Collaborator

Re: Very Basic Access list direction to apply?

1- Access lists, in this case extended access-lists, are concerned with the source and destination IPs in the packet header. So a packet going to 8.8.8.8 is permitted and no the gateway IP of the interface does not come into play.

 

2- Consider a sub interface, or even a logical L3 VLAN interface as an ethernet port. So packets originating from that segment will have that IP as source and the destination will be whatever you are trying to get to. In this case 8.8.8.8. The same logic applies from my response to question 1. The ACLs apply to the source and destination addresses in the packet's IP header.

 

3- You could apply it in the out direction and just reverse the source and destinations in the ACL. That's just a judgement call. But if you think about it, with just the inbound ACL applied you are denying the specifci traffic in one direction. That won't stop it in the other. So technically, packets from the corp VLAN can reach the guest VLAN. The inbound ACL will prevent any response, but it you want no communication in either direction, you would want to apply an outbound ACL.

 

Hope this helps

Beginner

Re: Very Basic Access list direction to apply?

Great answer by chrihussey. Just to add:

 

2: the in/out thing applies to the direction of traffic as seen by the switch/router interface. It has no relevance to the perceived direction in term of your network as a whole.

 

3.you might (for example) use an ACL outbound on an Internet facing link to prevent any traffic sourced from an RFC1918 address. This is more efficient than putting it on numerous internal interfaces.

 

Hope this helps

 

Dave

Participant

Re: Very Basic Access list direction to apply?

Just another point of clarification then. I was under the impression that only one ACL could be applied to an interface.

Is that correct? Or can you apply ACL A in and ACL B out to the same interface at the same time?

VIP Collaborator

Re: Very Basic Access list direction to apply?

In and out ACLs can be applied to an interface. The only exception being a layer 2 switch port on most access switches. In that case only inbound can be applied.

Regards

Participant

Re: Very Basic Access list direction to apply?

Thanks Chris,

last question (I promise)

So in the above example if I wanted to stop the CORP form taking to the GUEST completely, would I apply:

1. An appropriate IN & OUT on each interface or is that overkill?

2. An IN & OUT on one interface?

3. Or just an IN or OUT on each interface?

VIP Collaborator

Re: Very Basic Access list direction to apply?

In your case it is two interfaces, so locking down one with an in and out ACL should be sufficient. However, there is nothing wrong with applying the same to both interfaces either. It stops the traffic from either source and I wouldn't consider it overkill.

As far as #3 is concerned, applying just in or out to an interface is probably not recommended as it allows the unwanted traffic in one direction which you wouldn't want.

Participant

Re: Very Basic Access list direction to apply?

Thank you both for your replies and they have been most helpful. Cheers.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards