Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
5
Replies

ACL Help

Mike McWethy
Level 1
Level 1

‎05-31-2011 02:55 PM - edited ‎03-04-2019 12:34 PM

I have a question regarding the configuration of an ACL. For simplicity sake, the topology of the network is as follows:

Traffic flow is from PRIMARY to COLD DR SITE ------->

(PRIMARY SITE) LAN/IBM NSeries SAN/Dell Equallogic/Cisco 3825 ----OC3 (WAN/ATM)-----Cisco3825/Dell Equallogic SAN/IBM NSeries/LAN (COLD DR SITE)

IP ADDRESSING SCHEME:

Primary site:

Lan = 10.80.2.0/24, 10.80.1.0/24, 10.80.5.0/24, 10.80.35.0/24

IBM NSeries: 10.80.2.173, 10.80.2.172

Dell Eq: 10.80.7.100

Cisco 3825: 10.245.1.249/30

Cold DR site:

Lan = 10.80.150.0/24, 10.80.100.0/24

IBM NSeries: 10.80.100.174, 10.80.100.175

Dell Eq: 10.80.107.100

Cisco 3825: 10.245.1.250/30

We have an upcoming DR test and I need to implement an ACL on the router at the COLD DR SITE to prevent traffic from the PRIMARY SITE from reaching the DR SITE during this test (with exception of our SAN units so replication stays up-to-date). I am confused because one of our SAN units uses a PUSH method and the other uses a PULL method so the direction of applying the ACL is somewhat confusing me (i.e INBOUND/OUTBOUND).

Here is what I have (applied on the ATM Interface on the Cisco 3825 at the COLD DR SITE):

access-list 110 permit ip host 10.80.100.174 any
access-list 110 permit ip host 10.80.100.175 any
access-list 110 permit ip host 10.80.107.100 any
access-list 110 deny   ip 10.80.100.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny   ip 10.80.100.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny   ip 10.80.100.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny   ip 10.80.100.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 deny   ip 10.80.150.0 0.0.0.255 10.80.2.0 0.0.0.255
access-list 110 deny   ip 10.80.150.0 0.0.0.255 10.80.1.0 0.0.0.255
access-list 110 deny   ip 10.80.150.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 110 deny   ip 10.80.150.0 0.0.0.255 10.80.35.0 0.0.0.255
access-list 110 permit ip 10.80.100.0 0.0.0.255 any
access-list 110 permit ip 10.80.150.0 0.0.0.255 any

I applied this to the ATM interface:

interface ATM1/0
ip address 10.245.1.250 255.255.255.252
no atm ilmi-keepalive
pvc 0/1
protocol ip inarp

ip access-group 110 out
!

When I tested this initially, everything was blocked and working correctly EXCEPT my Dell Equallogic SAN array at the PRIMARY SITE could not contact the Dell Equallogic SAN array at the COLD DR SITE. Can someone look at this and tell me what I am doing wrong? If you need anymore information, please let me know.

Labels:
0 Helpful
5 Replies 5

vmiller
Level 7
Level 7

‎05-31-2011 03:02 PM

you never explicitly permit 10.80.7.100 out.

there is an implicit deny all at the end of acls.

0 Helpful

Mike McWethy
Level 1
Level 1
In response to vmiller

‎05-31-2011 03:21 PM

Even though the 10.80.7.100 array exists at the PRIMARY site, I would have to allow that

in the ACL on the router at the COLD DR SITE? This is where I was confused because this IP doesn't originate from the COLD DR SITE.

0 Helpful

Mike McWethy
Level 1
Level 1
In response to vmiller

‎05-31-2011 06:17 PM

No problem, V. I guess my dilemma is that I have one array that uses the push method and one that uses the pull

so I am unsure how I can account for this since I cant have an in/out ACL on one interface.

0 Helpful

vmiller
Level 7
Level 7
In response to Mike McWethy

‎06-01-2011 08:19 AM

Well, if your deny statements are working just fine, what about removing the first 3 permits,

and adding a permit IP any any at the end. you might want to consider logging or tracing the conversations between the arrays just to double check.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card