Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1704
Views
15
Helpful
8
Replies

Use extended ACL to access and deny TCP and ICMP

Go to solution
Asiri Vishwajith
Level 1
Level 1

‎10-28-2020 11:38 AM

Hello!

I need to ping left side switches from right side switches ,and need to deny TCP from right side Switches to left side Switches.

I attached the  diagram.

Thanks.

Labels:
Preview file
82 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Asiri Vishwajith

‎10-28-2020 04:56 PM

"when I use "deny tcp any any" then both sides cant 'telnet'. do I need put all pairs of sources and destinations?"

Correct, which I why I mentioned (totally) blocking TCP in one direction will also (totally) block TCP from working, and so, my ACL did just that.

"I need to 'telnet' from left switches to right and I don't need to 'telnet' right side to left side."

That quite a different requirement, from you OP, and more sensible too.

What Paul shows, is one way to do that, but not the only way.  You could further exclude all TCP but telnet, while still allowing it (telnet) in one direction.  Further, depending what devices you actually need telnet access too, you might use a reflex ACL or, if router has the feature set, FW rules.

As to where to place the ACL, again it depends on ACL, whether in or out, and interface.

From an "efficiency" standpoint, you want to block (drop) as soon as possible.

From a "configuration management" standpoint, you want to define the ACL in as few places as possible.  For the latter, your interfaces that connect the two core routers, would be the best location.  (Although I wrote interfaces, i.e. plural, you could just apply the ACL on just one of the core routers.)

BTW, for understanding ACLs, keep in mind, from the perspective of the interface you apply it to, and whether applied in or out (or both), what will be the packet's source and destination fields.

If you have other questions, please ask, but hopefully, you now better see how you often need to be very specific in your requirements.  My original response, I believe, addressed your OP while trying to clarify your requirements.

For another example of requirements, it's unclear whether you need/want to have this ACL restrict certain address blocks.

View solution in original post

8 Replies 8

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-28-2020 12:56 PM

"I need to ping left side switches from right side switches . . ."

Well, that's the default, unless you use an ACL to block.  So, unsure what you intend.  Did you only mean to only allow that?  If so, that would block everything else.

". . . deny TCP from right side Switches to left side Switches"

ip access-list extended blockTCP
deny tcp any any !blocks all TCP, but TCP wouldn't work even if you block only single direction, however you could do so, then you need to be careful with source vs. destination fields, ACL's in or out, and what interface(s) placed on
permit ip any any

0 Helpful

Go to solution
Asiri Vishwajith
Level 1
Level 1
In response to Joseph W. Doherty

‎10-28-2020 02:10 PM

when I use "deny tcp any any" then both sides cant 'telnet'. do I need put all pairs of  sources and destinations?

I need to 'telnet' from left switches to right and I don't need to 'telnet' right side to left side.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Asiri Vishwajith

‎10-28-2020 02:19 PM

Hello @Asiri Vishwajith 

Use the acl i posted and test against it


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Asiri Vishwajith
Level 1
Level 1
In response to paul driver

‎10-28-2020 02:25 PM

Hello @paul driver 

I tested, but it also can't 'telnet' to right side. Im trying...

 

Thank you

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Asiri Vishwajith

‎10-28-2020 02:38 PM

Hello
you wont be able too

You stated to deny all tcp/icmp from left to right that's what the acl is denying, initiation of tcp/icmp echo connections from left to right, However it will allow right to left.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Asiri Vishwajith

‎10-28-2020 04:56 PM

"when I use "deny tcp any any" then both sides cant 'telnet'. do I need put all pairs of sources and destinations?"

Correct, which I why I mentioned (totally) blocking TCP in one direction will also (totally) block TCP from working, and so, my ACL did just that.

"I need to 'telnet' from left switches to right and I don't need to 'telnet' right side to left side."

That quite a different requirement, from you OP, and more sensible too.

What Paul shows, is one way to do that, but not the only way.  You could further exclude all TCP but telnet, while still allowing it (telnet) in one direction.  Further, depending what devices you actually need telnet access too, you might use a reflex ACL or, if router has the feature set, FW rules.

As to where to place the ACL, again it depends on ACL, whether in or out, and interface.

From an "efficiency" standpoint, you want to block (drop) as soon as possible.

From a "configuration management" standpoint, you want to define the ACL in as few places as possible.  For the latter, your interfaces that connect the two core routers, would be the best location.  (Although I wrote interfaces, i.e. plural, you could just apply the ACL on just one of the core routers.)

BTW, for understanding ACLs, keep in mind, from the perspective of the interface you apply it to, and whether applied in or out (or both), what will be the packet's source and destination fields.

If you have other questions, please ask, but hopefully, you now better see how you often need to be very specific in your requirements.  My original response, I believe, addressed your OP while trying to clarify your requirements.

For another example of requirements, it's unclear whether you need/want to have this ACL restrict certain address blocks.

Go to solution
Asiri Vishwajith
Level 1
Level 1
In response to Joseph W. Doherty

‎11-01-2020 09:46 AM

Thank you

0 Helpful

Go to solution
paul driver
VIP
VIP

‎10-28-2020 01:36 PM - edited ‎10-28-2020 04:56 PM

Hello
Apply this acl to each rtr on the left gig0/0 interface


ip access-list extended left-right
permit tcp 172.16.x.0 0.0.0.255 172.16.8.0 0.0.7.255 established
deny tcp 172.16.x.0 0.0.0.255 172.16.8.0 0.0.7.255
deny icmp 172.16.x.0 0.0.0.255 172.16.8.0 0.0.7.255 echo
permit ip any any


int gig0/0
ip access-group left-right in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card