Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
5
Helpful
4
Replies

Can someone explain this ACL rule please

Go to solution
Zahan Al-Rashid
Level 1
Level 1

‎01-11-2017 09:03 AM - edited ‎02-20-2020 09:44 PM

Hi All, 

I thought I had the ACL's figured out but this rule is bugging me:

interface Vlan40
description ((Servers))
ip address 10.100.40.1 255.255.255.0
ip access-group Secure-Servers out
ip helper-address 127.74.118.150
ip helper-address 127.74.118.140
no ip redirects
ip pim sparse-mode
ip igmp version 3
mls rp ip
arp timeout 300
end

On this ACL Secure-Servers I am seeing the hits below:

 360 permit ip host 147.77.130.83 any (6662 matches)


So how is that possible? It is applied in the OUTBOUND directions so surely in an extended ACL above I should only be seeing hits if the SOURCE is 10.100.40.X range because it's access that VLAN and the only range coming out of that vlan is 10.100.40.X according to config above so how does one with source 147.x.x.x get hits? Also there are many different ranges getting hits. 


Thanks for your assist

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Zahan Al-Rashid

‎01-11-2017 09:56 AM

The rule above only applies to packets leaving the switch.  If you want to see the opposite direction then create another rule for the direction "in".

View solution in original post

4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-11-2017 09:13 AM

"out" access lists apply in the direction from the vlan/port towards the servers (aka, out of the switches interface).

This just means 147.77.130.83 somewhere else in the network has tried to talk to a 10.100.40.x host, and being a directly connected vlan, it was routed out that vlan/port.

0 Helpful

Go to solution
Zahan Al-Rashid
Level 1
Level 1
In response to Philip D'Ath

‎01-11-2017 09:25 AM

Thanks for your response.

Ok so if 147.77.130.83 does talk to 10.100.40.X surely when 10.100.40.X communicates back to 147.77.130.83 it will change the source address to 10.100.40.X so how can we see hits with source 147.77.130.83 to any? It should have been denied according to the rule above right?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Zahan Al-Rashid

‎01-11-2017 09:56 AM

The rule above only applies to packets leaving the switch.  If you want to see the opposite direction then create another rule for the direction "in".

Go to solution
Zahan Al-Rashid
Level 1
Level 1
In response to Philip D'Ath

‎01-12-2017 01:15 AM

Thanks I think I get it now. It's applied for all address leaving that switch from that Subnet or VLAN 40 and not the address range that belongs to vlan 40. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents