12-05-2013 05:49 AM - edited 03-07-2019 04:56 PM
So my question is does a ACL need to define permit access to the gateway of the network.
Example ACL configured on the edge port on a 10.0.0.0/24 network.
Gateway of the network is 10.0.0.1
Host of the network is 10.0.0.200
Host only needs access to tcp/80 on 192.168.1.200
Edge switchport acl would say:
ip access-list extended Edge_ACL
permit tcp host 10.0.0.200 host 192.168.1.200 eq www
deny ip any any log
Question is do I need to make it look like this:
ip access-list extended Edge_ACL
permit ip host 10.0.0.200 host 10.0.0.1
permit tcp host 10.0.0.200 host 192.168.1.200 eq www
deny ip any any log
Thanks,
Chris
Solved! Go to Solution.
12-05-2013 06:23 AM
Chris
You've managed to confuse me as well and I have just edited my previous reply because i was wrong.
You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.
When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.
Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be
Jon
12-05-2013 06:08 AM
Chris
What do you mean by edge port ? Do you mean the actual port connected to the PC or something else ?
Generally acls are applied on L3 vlan interfaces on a switch to control traffic between vlans. If you do it on the physical port then you need to explicitly allow everything you want. So if your original acl was applied on port inbound the 10.0.0.200 wouldn't be able to talk to anything ie.
1) it can't talk to 192.168.1.200 because it can't get to it's default gateway <--- this is wrong so please ignore
2) it can't even talk to other 10.0.0.x hosts in the same vlan
What is it that you are trying to achieve ?
Jon
12-05-2013 06:16 AM
Jon,
I am looking at edge ports facing computers, be it a guest or company asset. The example above would be a guest computer talking to an resource internally for example.
We are implementing ISE and I just confused the crap out of myself with the way I should be writing downloadable ACLs.
Thanks,
Chris
12-05-2013 06:23 AM
Chris
You've managed to confuse me as well and I have just edited my previous reply because i was wrong.
You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.
When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.
Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be
Jon
12-05-2013 06:26 AM
That is what happend to me on my drive to work. I confused the crap out of myself.
Thanks for clarifying it makes perfect since.
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide