Solved: ACL's

williamehmke1 · ‎11-24-2015

Can someone please let me know if I have the correct Source (S) and Desitination (D) defined on the attached diagram, based off the ACL's below and will the attached ACL's work? I was told the ACL will not work this way as the remote site ACL should be opposite of the ASR1001 ACL. I thought ACL's had to match.

Remote Site ACL's

ip access-list extended Call-control-LAN
permit tcp host 192.168.1.100 any
permit tcp host 192.168.1.150 any

ip access-list extended Call-control-WAN
permit tcp any host 192.168.1.100 eq 5440
permit tcp any host 192.168.1.150 eq 5440

ip access-list extended ERP-LAN
permit ip host 192.168.2.50 any
permit ip host 192.168.2.55 any

ip access-list extended ERP-WAN
permit ip any host 192.168.2.50
permit ip any host 192.168.2.55

ASR1001 ACL:

ip access-list extended Call-control-LAN
permit tcp host 192.168.1.100 any
permit tcp host 192.168.1.150 any

ip access-list extended Call-control-WAN
permit tcp any host 192.168.1.100 eq 5440
permit tcp any host 192.168.1.150 eq 5440

ip access-list extended ERP-LAN
permit ip host 192.168.2.50 any
permit ip host 192.168.2.55 any

ip access-list extended ERP-WAN
permit ip any host 192.168.2.50
permit ip any host 192.168.2.55

Class Map defined on both routers:

class-map match-all Call-control-LAN
match access-group name Call-control-LAN
class-map match-all Call-control-WAN
match access-group name Call-control-WAN
class-map match-all ERP-LAN
match access-group name ERP-LAN
class-map match-all ERP-WAN
match access-group name ERP-WAN

Seb Rupik · ‎11-25-2015

Hi there,

ACLs should be written relative to the device and direction of traffic on which they are being applied.

As far as the 'remote switch' is concerned, when the 'core switches' send traffic they are the source, when the 'remote switch' is transmitting the 'core switch' would be the destination.

Switch perspective:

switch (Tx) --> core (Rx) == Source -> Destination

switch (Rx) <-- core (Tx) == Destination <- Source

cheers,

Seb.

View solution in original post

Seb Rupik · ‎11-25-2015

Hi there,

ACLs should be written relative to the device and direction of traffic on which they are being applied.

As far as the 'remote switch' is concerned, when the 'core switches' send traffic they are the source, when the 'remote switch' is transmitting the 'core switch' would be the destination.

Switch perspective:

switch (Tx) --> core (Rx) == Source -> Destination

switch (Rx) <-- core (Tx) == Destination <- Source

cheers,

Seb.

Masoud Pourshabanian · ‎11-25-2015

Hello,

You did not specify any IP addresses on your diagram and also on which interfaces you are going to apply your ACL.

You need to also pay attention to return traffc because ACL is stateless.

Masoud

Richard Bradfield · ‎11-25-2015

Hi,

I can't really understand your diagram with relation to S and D

I assume the 192.168.1.0 and 192.168.2.0 are at the remote site and you want to classify the traffic so you can use a policy map to control the different types of traffic. If so you would have an input policy on the WAN routers, so atthe remote site it would apply to the connection from the switch. so that would be ACL Call-Control-LAN and ERP-LAN, at head office on input to WAN router there you would use ACL Call-Control-WAN, and ERP WAN to Classify the traffic on an inbound policy map.

Once classified you can assign bandwidth on an outbound policy map applied to the WAN interfaces.