Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
0
Helpful
9
Replies

ACL direction on sub interface

Go to solution
louis0001
Level 3
Level 3

‎09-28-2019 12:26 AM

Forgive me for this as I'm sure it's been asked umpteen times but I just need to clarify it in my head with the example below.

I want to permit User A access to Web Server A but don't want to place an ACL on the User A router but rather in a single place near to the Webserver itself (see diagram).

Something like:

permit tcp host 172.31.1.1 host 192.168.100.2 eq 80

 

In the diagram, would I be right in thinking I would apply the above on sub interface f0/1.100 in the out direction?

Is there a better way to apply it?

Extended_ACL2.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to louis0001

‎09-28-2019 05:33 AM - edited ‎09-28-2019 06:50 AM

Hello

@louis0001 wrote:
Nice answer there Paul.
If I take it one step further and also want to deny traffic from webserver B to A (as well as all other users apart from User A to Webserver A using http)
To just have 1x ACL, I would think that the ACL would need to be applied to f0/1.100 in the OUT direction using the following only:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80

With this additional information - You are correct in that you could use just one acl for all traffic filtering and that acl looks like it would have to be on webserver A /B rtr fa0/1.100 interface outbound however that will mean for the traffic from users A/B - the rtr will have allow this traffic inside so it can be processed and then filtered which would be a waste of rtr resource granted its only a small acl in this topology but if it wasn’t?

Hence the reason why I tend to think about the effect of applied acls will incur on the rtr .

Is it more beneficial to apply multiple  acls in the correct place then just one it the wrong place - but then again you could argue about having multiple acls to administer and if you were to do this and applicable to you then placing an acl on either users rtr and webserver B rtr (three in total) would not only save rtr resource but also bandwidth !

My suggestion. other may disagree is in this instance is in between using two acls:

User A/B traffic filtered on webserver A/B rtr fa1/1.111 inbound
Webserver B traffic on webserver A/B rtr fa1/1.200 inbound

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-28-2019 01:04 AM

You can apply near the server interface for the ACL for the user to access or deny

 

make sure after permitting all necessary devices in the ACL  you need to end deny any to end the ACL.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-28-2019 01:13 AM - edited ‎09-28-2019 02:08 AM

Hello
To deny user A to access the web server It is base to place the acl as close as the source as possible so save bandwidth of the packet traversing the network only then for it to be processed and filtered when it arrives at the destination rtr.

So in your topology the acl will be applied on user A rtr  interface gig0.0.300
ip access-list extended no_web
deny tcp host 172.31.1.1 host 192.168.100.2 eq www
deny tcp host 172.31.1.1 host 192.168.100.2 eq 443
permit ip any any

int gig0/0.300
ip access-group no_web in


To allow only User A only to access webserver A then the acl will need to placed on webserver A rtr interface fa1/1.111 ingress
ip access-list extended Allow-User A
permit tcp host 172.31.1.1 host 192.168.100.2 eq www
permit tcp host 172.31.1.1 host 192.168.100.2 eq 443
deny tcp any host 192.168.100.2 eq www
deny tcp any host 192.168.100.2 eq 443
permit ip any any

int fa1/1.111
ip access-group Allow-User A in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to paul driver

‎09-28-2019 02:42 AM

Nice answer there Paul.
If I take it one step further and also want to deny traffic from webserver B to A (as well as all other users apart from User A to Webserver A using http)
To just have 1x ACL, I would think that the ACL would need to be applied to f0/1.100 in the OUT direction using the following only:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to louis0001

‎09-28-2019 05:33 AM - edited ‎09-28-2019 06:50 AM

Hello

@louis0001 wrote:
Nice answer there Paul.
If I take it one step further and also want to deny traffic from webserver B to A (as well as all other users apart from User A to Webserver A using http)
To just have 1x ACL, I would think that the ACL would need to be applied to f0/1.100 in the OUT direction using the following only:
permit tcp host 172.31.1.1 host 192.168.100.2 eq 80

With this additional information - You are correct in that you could use just one acl for all traffic filtering and that acl looks like it would have to be on webserver A /B rtr fa0/1.100 interface outbound however that will mean for the traffic from users A/B - the rtr will have allow this traffic inside so it can be processed and then filtered which would be a waste of rtr resource granted its only a small acl in this topology but if it wasn’t?

Hence the reason why I tend to think about the effect of applied acls will incur on the rtr .

Is it more beneficial to apply multiple  acls in the correct place then just one it the wrong place - but then again you could argue about having multiple acls to administer and if you were to do this and applicable to you then placing an acl on either users rtr and webserver B rtr (three in total) would not only save rtr resource but also bandwidth !

My suggestion. other may disagree is in this instance is in between using two acls:

User A/B traffic filtered on webserver A/B rtr fa1/1.111 inbound
Webserver B traffic on webserver A/B rtr fa1/1.200 inbound

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to paul driver

‎09-28-2019 10:07 AM

Point taken on the bandwidth/traffic etc.
It's a bit of a pain when you have 60+ sites and you have to change the ACL on each for one minor change.
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎09-28-2019 01:54 AM

Hello,

 

if you want User A to access Web Server A, what traffic do you NOT want to reach Web Server A ? And do you want User A to be able to reach Web Server B as well, or not ? And what about the other user(s) on the network ?

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to Georg Pauwen

‎09-28-2019 02:07 AM

In answer to some of the questions,

1. it's a very simple example so I'm aware that there is an explicit deny at the end of the ACL and no other traffic apart from specified will be able to access Web Server A

2. I take the point about traffic traversing the network and being denied. But isn't that how networks eg the internet etc works? ie you don't have control of the source but you do of the destination?

3. In the example, I've got 2 user routers. In effect, I've got 60+ and I don't want to apply an individual ACL on every one of them to deny traffic to a specific server. I'd rather have a centralised ACL that I can amend ie 1x ACL rather than 60x ACL

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to louis0001

‎09-28-2019 03:14 AM

Rather complicating the ACL, listing many devices deny, allow only required and rest will be denied automatically.

@louis0001 wrote:

In answer to some of the questions,

1. it's a very simple example so I'm aware that there is an explicit deny at the end of the ACL and no other traffic apart from specified will be able to access Web Server A

2. I take the point about traffic traversing the network and being denied. But isn't that how networks eg the internet etc works? ie you don't have control of the source but you do of the destination?

3. In the example, I've got 2 user routers. In effect, I've got 60+ and I don't want to apply an individual ACL on every one of them to deny traffic to a specific server. I'd rather have a centralised ACL that I can amend ie 1x ACL rather than 60x ACL


automatically.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to balaji.bandi

‎09-28-2019 04:33 AM

My thinking is to place the ACL on the most common interface to limit the ammount of ACL's needed.

In the above diagram, if I wanted to just permit/block users (left hand side of diagram) to web server A, the most common place is f1/1.111 IN or f0/1.100 OUT

But if I wanted to also block the web server B to web server A, (I know I could create another ACL on f0/1.200) but that would be 2x ACL, whereas I could just create 1x ACL on f0/1.100

 

So to allow only USER A to WEB server A on http (in it's simplest form):

access-list extended webserverA_traffic

permit tcp host 172.31.1.1 host 192.168.100.2 eq 80

 

int f0/1.100

access-group webserverA_traffic OUT

 

Is there anything wrong with doing that (for simplicity)?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card