Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
20
Helpful
7
Replies

Very Basic Access list direction to apply?

Go to solution
louis0001
Level 3
Level 3

‎11-15-2018 11:56 PM - edited ‎03-03-2019 08:56 AM

I have some vlans as such:

guest vlan = 172.17.1.0/24 router int g0/0.172  ip addr 172.17.1.1
corp vlan = 10.1.0.0/24 router int g0/0.10 ip addr 10.1.0.1

 

I've added an access-list to the guest sub interface IN as such:

deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip any any

 

It seems to work. From the guest vlan, I can't reach any private subnet. I can't even ping the sub interface. Great!

I can get to the internet.

I have 3 basic questions:

1. Are access-lists only concerned with the final destination and not what is in between? ie I can't ping the router (172.17.1.1) from 172.17.1.0/24 but I can still reach the internet. So in the above access list, traffic going to 8.8.8.8 will fall into the permit rule (regardless that traffic from that subnet 172.17.1.0/24 must travel through 172.17.1.1 to get to 8.8.8.8)

2. Why does this work when I apply the direction IN? Is it because I'm effectively saying  for example "deny traffic coming from client 172.17.1.10 coming INTO the sub interface and GOING to xxx.xxx.xxx.xxx

So in the above example:

client 172.17.1.10 going to 172,17.1.1 = deny
client 172.17.1.10 going to 8.8.8.8 = permit (and it doesn't matter what IP it travels through on the way?)

3. When would you apply in the OUT direction?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chrihussey
VIP Alumni
VIP Alumni
In response to louis0001

‎11-19-2018 12:45 PM

In your case it is two interfaces, so locking down one with an in and out ACL should be sufficient. However, there is nothing wrong with applying the same to both interfaces either. It stops the traffic from either source and I wouldn't consider it overkill.

As far as #3 is concerned, applying just in or out to an interface is probably not recommended as it allows the unwanted traffic in one direction which you wouldn't want.

View solution in original post

7 Replies 7

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎11-16-2018 03:45 AM

1- Access lists, in this case extended access-lists, are concerned with the source and destination IPs in the packet header. So a packet going to 8.8.8.8 is permitted and no the gateway IP of the interface does not come into play.

 

2- Consider a sub interface, or even a logical L3 VLAN interface as an ethernet port. So packets originating from that segment will have that IP as source and the destination will be whatever you are trying to get to. In this case 8.8.8.8. The same logic applies from my response to question 1. The ACLs apply to the source and destination addresses in the packet's IP header.

 

3- You could apply it in the out direction and just reverse the source and destinations in the ACL. That's just a judgement call. But if you think about it, with just the inbound ACL applied you are denying the specifci traffic in one direction. That won't stop it in the other. So technically, packets from the corp VLAN can reach the guest VLAN. The inbound ACL will prevent any response, but it you want no communication in either direction, you would want to apply an outbound ACL.

 

Hope this helps

Go to solution
dbeattie
Level 1
Level 1
In response to chrihussey

‎11-16-2018 07:39 AM

Great answer by chrihussey. Just to add:

 

2: the in/out thing applies to the direction of traffic as seen by the switch/router interface. It has no relevance to the perceived direction in term of your network as a whole.

 

3.you might (for example) use an ACL outbound on an Internet facing link to prevent any traffic sourced from an RFC1918 address. This is more efficient than putting it on numerous internal interfaces.

 

Hope this helps

 

Dave

Go to solution
louis0001
Level 3
Level 3
In response to dbeattie

‎11-18-2018 11:55 PM

Just another point of clarification then. I was under the impression that only one ACL could be applied to an interface.

Is that correct? Or can you apply ACL A in and ACL B out to the same interface at the same time?

0 Helpful

Go to solution
chrihussey
VIP Alumni
VIP Alumni
In response to louis0001

‎11-19-2018 02:38 AM

In and out ACLs can be applied to an interface. The only exception being a layer 2 switch port on most access switches. In that case only inbound can be applied.

Regards

Go to solution
louis0001
Level 3
Level 3
In response to chrihussey

‎11-19-2018 09:40 AM

Thanks Chris,

last question (I promise)

So in the above example if I wanted to stop the CORP form taking to the GUEST completely, would I apply:

1. An appropriate IN & OUT on each interface or is that overkill?

2. An IN & OUT on one interface?

3. Or just an IN or OUT on each interface?

0 Helpful

Go to solution
chrihussey
VIP Alumni
VIP Alumni
In response to louis0001

‎11-19-2018 12:45 PM

In your case it is two interfaces, so locking down one with an in and out ACL should be sufficient. However, there is nothing wrong with applying the same to both interfaces either. It stops the traffic from either source and I wouldn't consider it overkill.

As far as #3 is concerned, applying just in or out to an interface is probably not recommended as it allows the unwanted traffic in one direction which you wouldn't want.

Go to solution
louis0001
Level 3
Level 3
In response to chrihussey

‎11-19-2018 01:43 PM

Thank you both for your replies and they have been most helpful. Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents