Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
4
Replies

Edge switchport ACLs, Confused

Go to solution
Christopher Calhoun
Level 1
Level 1

‎12-05-2013 05:49 AM - edited ‎03-07-2019 04:56 PM

So my question is does a ACL need to define permit access to the gateway of the network.

Example ACL configured on the edge port on a 10.0.0.0/24 network.

Gateway of the network is 10.0.0.1

Host of the network is 10.0.0.200

Host only needs access to tcp/80 on 192.168.1.200

Edge switchport acl would say:

ip access-list extended Edge_ACL

    permit tcp host 10.0.0.200 host 192.168.1.200 eq www
    deny ip any any log

Question is do I need to make it look like this:

ip access-list extended Edge_ACL

    permit ip host 10.0.0.200 host 10.0.0.1

    permit tcp host 10.0.0.200 host 192.168.1.200 eq www
    deny ip any any log

Thanks,

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Christopher Calhoun

‎12-05-2013 06:23 AM

Chris

You've managed to confuse me as well and I have just edited my previous reply because i was wrong.

You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.

When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.

Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-05-2013 06:08 AM

Chris

What do you mean by edge port ? Do you mean the actual port connected to the PC or something else ?

Generally acls are applied on L3 vlan interfaces on a switch to control traffic between vlans. If you do it on the physical port then you need to explicitly allow everything you want. So if your original acl was applied on port inbound the 10.0.0.200 wouldn't be able to talk to anything ie.

1) it can't talk to 192.168.1.200 because it can't get to it's default gateway  <--- this is wrong so please ignore

2) it can't even talk to other 10.0.0.x hosts in the same vlan

What is it that you are trying to achieve ?

Jon

0 Helpful

Go to solution
Christopher Calhoun
Level 1
Level 1

‎12-05-2013 06:16 AM

Jon,

I am looking at edge ports facing computers, be it a guest or company asset. The example above would be a guest computer talking to an resource internally for example.

We are implementing ISE and I just confused the crap out of myself with the way I should be writing downloadable ACLs.

Thanks,

Chris         

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Christopher Calhoun

‎12-05-2013 06:23 AM

Chris

You've managed to confuse me as well and I have just edited my previous reply because i was wrong.

You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.

When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.

Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be

Jon

0 Helpful

Go to solution
Christopher Calhoun
Level 1
Level 1

‎12-05-2013 06:26 AM

That is what happend to me on my drive to work. I confused the crap out of myself.

Thanks for clarifying it makes perfect since.

Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card