06-24-2013 11:15 AM - edited 03-07-2019 02:03 PM
Hi all,
Just in case there is a way I am not aware of. Let's say I have a range for a VLAN: 192.168.1.0 /24, and I need to deny www traffic to ten(10) contiguous hosts from 192.168.1.10 thru 192.168.1.20. This statement:
deny tcp 192.168.1.10 - 192.168.1.20 any eq www
Is the above possible in IOS or once can one only permit/deny ranges based on subnet mask?
Thanks
Juan
06-24-2013 01:44 PM
Hi,
if this is on a router you could use object-group:http://routing-bits.com/2008/10/29/acl-object-groups-now-on-cisco-ios/
Regards
Alain
Don't forget to rate helpful posts.
06-24-2013 01:54 PM
Thanks Alain. This is a Cisco 3750X switch with image: c3750e-ipbasek9-mz.122-58.SE2
It does not seem to take that "object-group" command. That would certainly do it
Thanks anyway
Juan
06-24-2013 11:22 PM
Hi,
yes this feature is not supported on switches.
It won't be possible with a one-liner ACL but you could narrow it down to 4 instead of 10 like this:
access-list 101 deny tcp any 192.168.1.10 0.0.0.1 eq www
access-list 101 deny tcp any 192.168.1.12 0.0.0.3 eq www
access-list 101 deny tcp any 192.168.1.16 0.0.0.3 eq www
access-list 101 deny tcp any host 192.168.1.20 eq www
I don't think this can be reduced further without getting overlaps.
Regards
Alain
Don't forget to rate helpful posts.
06-25-2013 03:57 AM
Thanks Alain. I thought of that one.
I think the bottom line is that CISCO does not encourage the use of security/ACLs on switches and that's why object-groups are not available.
In our particular case letting an ASA(allows object-groups) handle it for the switch turns into a bottleneck. Even with etherchannels, it is not a match for the backplane speed of a CISCO 3750 switch stack without having to go up to the ASA and come back down.
Juan
06-25-2013 04:17 AM
Hi Juan,
I think the bottom line is that CISCO does not encourage the use of security/ACLs on switches and that's why object-groups are not available.
Why do you think so? I have not seen any indication of Cisco discouraging the use of ACLs on switches.
There is a different aspect to it, I believe. On these platforms, the matching operations from ACLs have to be compiled and downloaded into TCAM which is a scarce resource. The more complicated an ACL gets, the more space it occupies in the TCAM. Object groups or IP address ranges that can not be covered by a simple subnet are particularly unpleasant because they result in numerous entries to be programmed into the TCAM. I would suspect that is the reason why more complicated matching operations or objects are not readily available on lower-end switching platforms - they would either require more TCAM space or the capabilities of the TCAM simply do not meet the requirements of the matching operations in question.
Best regards,
Peter
06-25-2013 04:24 AM
Thanks Peter for your input, I think you are correct. However, based on experience with two TAC engineers, they have suggested the use of ASAs on front of switches to handle ACLs. Then I have voiced to them the bottleneck issue and they have no answers for that. I guess it is difficult to argue that with Etherchannel would be faster than backplane speed.
I appreciate though your thoughts on TCAM space. Something to consider.
Juan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide