Solved: Re: Behaviour of "Static Route" and "ACL" looks like same ?

Kuldeep singh · ‎09-25-2012

.

There are two ways of configuration to communicate Router1 Lan to Router2 Lan and Router2 Lan to Router1 Lan =>

1. Through Static Route ( see Method1 config in diagram)

2. Through ACL ( for ex, Extended ACL) ( see Method2 config in diagram)

I want to know about logical behaviour of my concern, Method1 and Method2 are Same or Different ?? if it different then Explain me

I know this is stupid and non-logical question .............

Jon Marshall · ‎09-25-2012

These are not the same.

Method 1 is used to allow traffic to route between the 10.0.0.x network and the 30.0.0.x network. Without these routes no traffic could go between those 2 networks.

Method 2 is about controlling access between the 2 networks. But if you didn't have the routes you added in method 1 then the access-lists would make no difference ie. with only the access-lists and no routes there would be no communication between the subnets.

Think of like this. Routing (method 1) is used to allow communication between different networks. Without correct routing information routers cannot send traffic to the correct destination. So without setting up routing whether with static rouutes or a dynamic routing protocol you won't be able to communicate between the networks.

Once routing is setup you can then, optionally, restrict which subnets or devices on subnets can talk to other subnets or devices on other subnets. One of the ways to do this is to use access-lists. Note that even though you have allowed all ip in your access-lists it still makes no difference until you have setup routing.

In practice you wouldn't use the acls you have defined because they are redundant in your example ie. you are premitting everything so why bother with an acl.

Jon

View solution in original post

Jon Marshall · ‎09-25-2012

An acl works unidirectionally but you have to understand what is happening here. If you applied the acl inbound to vlan 10 then it restricts what traffic can come from clients in vlan 10. So using your example and assuming 192.168.10.0 is vlan 10 and 192.168.20.0 is vlan 20

if you try to connect from a vlan 10 device to a vlan 20 device your acl will block it (if it is applied inbound) which is expected behaviour.

if you try to connect from a vlan 20 device to a vlan 10 device the traffic is allowed through to the vlan 10 device but the return traffic is blocked because of your acl. Notice that it is the return traffic being blocked not the original packet from vlan 20.

Jon

View solution in original post

Jon Marshall · ‎09-25-2012

These are not the same.

Method 1 is used to allow traffic to route between the 10.0.0.x network and the 30.0.0.x network. Without these routes no traffic could go between those 2 networks.

Method 2 is about controlling access between the 2 networks. But if you didn't have the routes you added in method 1 then the access-lists would make no difference ie. with only the access-lists and no routes there would be no communication between the subnets.

Think of like this. Routing (method 1) is used to allow communication between different networks. Without correct routing information routers cannot send traffic to the correct destination. So without setting up routing whether with static rouutes or a dynamic routing protocol you won't be able to communicate between the networks.

Once routing is setup you can then, optionally, restrict which subnets or devices on subnets can talk to other subnets or devices on other subnets. One of the ways to do this is to use access-lists. Note that even though you have allowed all ip in your access-lists it still makes no difference until you have setup routing.

In practice you wouldn't use the acls you have defined because they are redundant in your example ie. you are premitting everything so why bother with an acl.

Jon

Kuldeep singh · ‎09-25-2012

Thnx Jon,

One more query related to Extended Access list, Suppose i have two VLAN i.e VLAN 10 and VLAN 20

with cisco 3560 switch using intervlan routing

if i apply only one access list to restrict traffic from VLAN 10 to VLAN 20, then it restrict traffic from

VLAN 20 to VLAN 10 also. Wierd ???

Access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.

ACL works Unidirectionally or Bidirectionally ????

Jon Marshall · ‎09-25-2012

An acl works unidirectionally but you have to understand what is happening here. If you applied the acl inbound to vlan 10 then it restricts what traffic can come from clients in vlan 10. So using your example and assuming 192.168.10.0 is vlan 10 and 192.168.20.0 is vlan 20

if you try to connect from a vlan 10 device to a vlan 20 device your acl will block it (if it is applied inbound) which is expected behaviour.

if you try to connect from a vlan 20 device to a vlan 10 device the traffic is allowed through to the vlan 10 device but the return traffic is blocked because of your acl. Notice that it is the return traffic being blocked not the original packet from vlan 20.

Jon