09-28-2019 12:26 AM
Forgive me for this as I'm sure it's been asked umpteen times but I just need to clarify it in my head with the example below.
I want to permit User A access to Web Server A but don't want to place an ACL on the User A router but rather in a single place near to the Webserver itself (see diagram).
Something like:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80
In the diagram, would I be right in thinking I would apply the above on sub interface f0/1.100 in the out direction?
Is there a better way to apply it?
Solved! Go to Solution.
09-28-2019 05:33 AM - edited 09-28-2019 06:50 AM
Hello
@louis0001 wrote:
Nice answer there Paul.
If I take it one step further and also want to deny traffic from webserver B to A (as well as all other users apart from User A to Webserver A using http)
To just have 1x ACL, I would think that the ACL would need to be applied to f0/1.100 in the OUT direction using the following only:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80
With this additional information - You are correct in that you could use just one acl for all traffic filtering and that acl looks like it would have to be on webserver A /B rtr fa0/1.100 interface outbound however that will mean for the traffic from users A/B - the rtr will have allow this traffic inside so it can be processed and then filtered which would be a waste of rtr resource granted its only a small acl in this topology but if it wasn’t?
Hence the reason why I tend to think about the effect of applied acls will incur on the rtr .
Is it more beneficial to apply multiple acls in the correct place then just one it the wrong place - but then again you could argue about having multiple acls to administer and if you were to do this and applicable to you then placing an acl on either users rtr and webserver B rtr (three in total) would not only save rtr resource but also bandwidth !
My suggestion. other may disagree is in this instance is in between using two acls:
User A/B traffic filtered on webserver A/B rtr fa1/1.111 inbound
Webserver B traffic on webserver A/B rtr fa1/1.200 inbound
09-28-2019 01:04 AM
You can apply near the server interface for the ACL for the user to access or deny
make sure after permitting all necessary devices in the ACL you need to end deny any to end the ACL.
09-28-2019 01:13 AM - edited 09-28-2019 02:08 AM
Hello
To deny user A to access the web server It is base to place the acl as close as the source as possible so save bandwidth of the packet traversing the network only then for it to be processed and filtered when it arrives at the destination rtr.
So in your topology the acl will be applied on user A rtr interface gig0.0.300
ip access-list extended no_web
deny tcp host 172.31.1.1 host 192.168.100.2 eq www
deny tcp host 172.31.1.1 host 192.168.100.2 eq 443
permit ip any any
int gig0/0.300
ip access-group no_web in
To allow only User A only to access webserver A then the acl will need to placed on webserver A rtr interface fa1/1.111 ingress
ip access-list extended Allow-User A
permit tcp host 172.31.1.1 host 192.168.100.2 eq www
permit tcp host 172.31.1.1 host 192.168.100.2 eq 443
deny tcp any host 192.168.100.2 eq www
deny tcp any host 192.168.100.2 eq 443
permit ip any any
int fa1/1.111
ip access-group Allow-User A in
09-28-2019 02:42 AM
09-28-2019 05:33 AM - edited 09-28-2019 06:50 AM
Hello
@louis0001 wrote:
Nice answer there Paul.
If I take it one step further and also want to deny traffic from webserver B to A (as well as all other users apart from User A to Webserver A using http)
To just have 1x ACL, I would think that the ACL would need to be applied to f0/1.100 in the OUT direction using the following only:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80
With this additional information - You are correct in that you could use just one acl for all traffic filtering and that acl looks like it would have to be on webserver A /B rtr fa0/1.100 interface outbound however that will mean for the traffic from users A/B - the rtr will have allow this traffic inside so it can be processed and then filtered which would be a waste of rtr resource granted its only a small acl in this topology but if it wasn’t?
Hence the reason why I tend to think about the effect of applied acls will incur on the rtr .
Is it more beneficial to apply multiple acls in the correct place then just one it the wrong place - but then again you could argue about having multiple acls to administer and if you were to do this and applicable to you then placing an acl on either users rtr and webserver B rtr (three in total) would not only save rtr resource but also bandwidth !
My suggestion. other may disagree is in this instance is in between using two acls:
User A/B traffic filtered on webserver A/B rtr fa1/1.111 inbound
Webserver B traffic on webserver A/B rtr fa1/1.200 inbound
09-28-2019 10:07 AM
09-28-2019 01:54 AM
Hello,
if you want User A to access Web Server A, what traffic do you NOT want to reach Web Server A ? And do you want User A to be able to reach Web Server B as well, or not ? And what about the other user(s) on the network ?
09-28-2019 02:07 AM
In answer to some of the questions,
1. it's a very simple example so I'm aware that there is an explicit deny at the end of the ACL and no other traffic apart from specified will be able to access Web Server A
2. I take the point about traffic traversing the network and being denied. But isn't that how networks eg the internet etc works? ie you don't have control of the source but you do of the destination?
3. In the example, I've got 2 user routers. In effect, I've got 60+ and I don't want to apply an individual ACL on every one of them to deny traffic to a specific server. I'd rather have a centralised ACL that I can amend ie 1x ACL rather than 60x ACL
09-28-2019 03:14 AM
Rather complicating the ACL, listing many devices deny, allow only required and rest will be denied automatically.
@louis0001 wrote:
In answer to some of the questions,
1. it's a very simple example so I'm aware that there is an explicit deny at the end of the ACL and no other traffic apart from specified will be able to access Web Server A
2. I take the point about traffic traversing the network and being denied. But isn't that how networks eg the internet etc works? ie you don't have control of the source but you do of the destination?
3. In the example, I've got 2 user routers. In effect, I've got 60+ and I don't want to apply an individual ACL on every one of them to deny traffic to a specific server. I'd rather have a centralised ACL that I can amend ie 1x ACL rather than 60x ACL
automatically.
09-28-2019 04:33 AM
My thinking is to place the ACL on the most common interface to limit the ammount of ACL's needed.
In the above diagram, if I wanted to just permit/block users (left hand side of diagram) to web server A, the most common place is f1/1.111 IN or f0/1.100 OUT
But if I wanted to also block the web server B to web server A, (I know I could create another ACL on f0/1.200) but that would be 2x ACL, whereas I could just create 1x ACL on f0/1.100
So to allow only USER A to WEB server A on http (in it's simplest form):
access-list extended webserverA_traffic
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80
int f0/1.100
access-group webserverA_traffic OUT
Is there anything wrong with doing that (for simplicity)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide