I have a question regarding the configuration of an ACL. For simplicity sake, the topology of the network is as follows:
Traffic flow is from PRIMARY to COLD DR SITE ------->
(PRIMARY SITE) LAN/IBM NSeries SAN/Dell Equallogic/Cisco 3825 ----OC3 (WAN/ATM)-----Cisco3825/Dell Equallogic SAN/IBM NSeries/LAN (COLD DR SITE)
IP ADDRESSING SCHEME:
Lan = 10.80.2.0/24, 10.80.1.0/24, 10.80.5.0/24, 10.80.35.0/24
IBM NSeries: 10.80.2.173, 10.80.2.172
Dell Eq: 10.80.7.100
Cisco 3825: 10.245.1.249/30
Cold DR site:
Lan = 10.80.150.0/24, 10.80.100.0/24
IBM NSeries: 10.80.100.174, 10.80.100.175
Dell Eq: 10.80.107.100
Cisco 3825: 10.245.1.250/30
We have an upcoming DR test and I need to implement an ACL on the router at the COLD DR SITE to prevent traffic from the PRIMARY SITE from reaching the DR SITE during this test (with exception of our SAN units so replication stays up-to-date). I am confused because one of our SAN units uses a PUSH method and the other uses a PULL method so the direction of applying the ACL is somewhat confusing me (i.e INBOUND/OUTBOUND).
Here is what I have (applied on the ATM Interface on the Cisco 3825 at the COLD DR SITE):
access-list 110 permit ip host 10.80.100.174 any
access-list 110 permit ip host 10.80.100.175 any
access-list 110 permit ip host 10.80.107.100 any
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 permit ip 10.80.100.0 0.0.0.255 any
access-list 110 permit ip 10.80.150.0 0.0.0.255 any
I applied this to the ATM interface:
ip address 10.245.1.250 255.255.255.252
no atm ilmi-keepalive
protocol ip inarp
ip access-group 110 out
When I tested this initially, everything was blocked and working correctly EXCEPT my Dell Equallogic SAN array at the PRIMARY SITE could not contact the Dell Equallogic SAN array at the COLD DR SITE. Can someone look at this and tell me what I am doing wrong? If you need anymore information, please let me know.
Even though the 10.80.7.100 array exists at the PRIMARY site, I would have to allow that
in the ACL on the router at the COLD DR SITE? This is where I was confused because this IP doesn't originate from the COLD DR SITE.
misread the post my bad.
helps explain the In versus out...
No problem, V. I guess my dilemma is that I have one array that uses the push method and one that uses the pull
so I am unsure how I can account for this since I cant have an in/out ACL on one interface.
Well, if your deny statements are working just fine, what about removing the first 3 permits,
and adding a permit IP any any at the end. you might want to consider logging or tracing the conversations between the arrays just to double check.