05-31-2011 02:55 PM - edited 03-04-2019 12:34 PM
I have a question regarding the configuration of an ACL. For simplicity sake, the topology of the network is as follows:
Traffic flow is from PRIMARY to COLD DR SITE ------->
(PRIMARY SITE) LAN/IBM NSeries SAN/Dell Equallogic/Cisco 3825 ----OC3 (WAN/ATM)-----Cisco3825/Dell Equallogic SAN/IBM NSeries/LAN (COLD DR SITE)
IP ADDRESSING SCHEME:
Primary site:
Lan = 10.80.2.0/24, 10.80.1.0/24, 10.80.5.0/24, 10.80.35.0/24
IBM NSeries: 10.80.2.173, 10.80.2.172
Dell Eq: 10.80.7.100
Cisco 3825: 10.245.1.249/30
Cold DR site:
Lan = 10.80.150.0/24, 10.80.100.0/24
IBM NSeries: 10.80.100.174, 10.80.100.175
Dell Eq: 10.80.107.100
Cisco 3825: 10.245.1.250/30
We have an upcoming DR test and I need to implement an ACL on the router at the COLD DR SITE to prevent traffic from the PRIMARY SITE from reaching the DR SITE during this test (with exception of our SAN units so replication stays up-to-date). I am confused because one of our SAN units uses a PUSH method and the other uses a PULL method so the direction of applying the ACL is somewhat confusing me (i.e INBOUND/OUTBOUND).
Here is what I have (applied on the ATM Interface on the Cisco 3825 at the COLD DR SITE):
access-list 110 permit ip host 10.80.100.174 any
access-list 110 permit ip host 10.80.100.175 any
access-list 110 permit ip host 10.80.107.100 any
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny ip 10.80.100.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny ip 10.80.150.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 permit ip 10.80.100.0 0.0.0.255 any
access-list 110 permit ip 10.80.150.0 0.0.0.255 any
I applied this to the ATM interface:
interface ATM1/0
ip address 10.245.1.250 255.255.255.252
no atm ilmi-keepalive
pvc 0/1
protocol ip inarp
ip access-group 110 out
!
When I tested this initially, everything was blocked and working correctly EXCEPT my Dell Equallogic SAN array at the PRIMARY SITE could not contact the Dell Equallogic SAN array at the COLD DR SITE. Can someone look at this and tell me what I am doing wrong? If you need anymore information, please let me know.
05-31-2011 03:02 PM
you never explicitly permit 10.80.7.100 out.
there is an implicit deny all at the end of acls.
05-31-2011 03:21 PM
Even though the 10.80.7.100 array exists at the PRIMARY site, I would have to allow that
in the ACL on the router at the COLD DR SITE? This is where I was confused because this IP doesn't originate from the COLD DR SITE.
05-31-2011 03:32 PM
misread the post my bad.
helps explain the In versus out...
05-31-2011 06:17 PM
No problem, V. I guess my dilemma is that I have one array that uses the push method and one that uses the pull
so I am unsure how I can account for this since I cant have an in/out ACL on one interface.
06-01-2011 08:19 AM
Well, if your deny statements are working just fine, what about removing the first 3 permits,
and adding a permit IP any any at the end. you might want to consider logging or tracing the conversations between the arrays just to double check.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide