Solved: Cisco 4503 Access Lists

interedlb · ‎03-17-2008

Hello,

My internal network is divided into two subnets 192.168.5.0 and 192.168.50.0

The PCs on the subnet 5.0 have 192.168.5.3 as a gateway and the PCs on the subnet 50.0 have 192.168.50.3 as a gateway.

I have a Cisco 4503 with VLANs and ACLS configured. After the Cisco switch, traffic will pass through a firewall with the IP 192.168.5.1 to go to the internet.

I configured two VLANs on the Cisco switch and created ACLs. What I basically want to do is the following:

1. Allow traffic from the subnet 50.0 to only certain servers on the subnet 5.0

2. Allow traffic from the subnet 50.0 to the internet.

3. Allow traffic from the subnet 5.0 to subnet 50.0 (Only to the computers that are allowed to access the 5.0 subnet) and to the internet.

Find attached my current configuration on the Cisco switch. This current configuration is doing the required job but I know that my ACL configuration can be improved.

For example, in ACL Subnet5 if I permit "from 192.168.5.0 to any" instead of "any to any", subnet 50.0 won't have internet access which is weird!

Is my ACL configuration correct?

jorg.ramakers · ‎03-17-2008

Hi,

You have to limit your denies in your acl.

Every packet needs to go through the list of denies before hitting the permit. Accessing an acl by a packet can be very cpu intensive, and your cpu wil go crazy.

At the end of every acl you have an implecit deny all (deny ip any any) which you don't see.

So you can go for

ACL vlan 50

permit ip host 192.168.50.x host 192.168.5.x

deny ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip any any (the internet)

ACL vlan 5

permit ip host 192.168.5.x host 192.168.50.x

(implicit deny ip any any)

Cheers

J.

View solution in original post

jorg.ramakers · ‎03-17-2008

Hi,

You have to limit your denies in your acl.

Every packet needs to go through the list of denies before hitting the permit. Accessing an acl by a packet can be very cpu intensive, and your cpu wil go crazy.

At the end of every acl you have an implecit deny all (deny ip any any) which you don't see.

So you can go for

ACL vlan 50

permit ip host 192.168.50.x host 192.168.5.x

deny ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip any any (the internet)

ACL vlan 5

permit ip host 192.168.5.x host 192.168.50.x

(implicit deny ip any any)

Cheers

J.

interedlb · ‎03-17-2008

Hi,

Thank your for your reply. This is exactly what I needed in order to limit the size of my ACL while allowing internet access at the same time. I still have some questions if you don't mind.

1- Under ACL vlan 5, I entered only one line which is "permit ip any any" in order to give internet access to the subnet 5.0. The ACL of vlan 50 is taking care of the denies between the two subnets, that's why I didn't enter any deny under the ACL vlan 5. This seems to be working just fine, but is it correct in terms of ACL design?

2- Both ACLs are applied to the VLANs on the incoming -->

int vlan 5

ip access-group Subnet5 in

int vlan 50

ip access-group Subnet50 in

If we take subnet 5.0 and its ACL, I am applying the ACL in the incoming direction but in the ACL entries I am blocking traffic "FROM" 50.x "TO" 5.x

Eventhough applying the ACL in the incoming direction is doing the job, shouldn't the ACL be applied in the outgoing direction?

Thank you.

jorg.ramakers · ‎03-18-2008

Hi,

1. your way of working is not incorrect, but try to limit your traffic to the place where it is not needed. If you block it first, the unwanted traffic is not allowed to enter the vlan. That's the way i would do it and i don't think there are general rules for acl design.

2. inboud is in the router/ mls switch

If you work a lot with acls, just spread your arms where you are the router. Incoming is into you en outgoing is out of your arms. It looks silly in the beginnen but then it is easier to manage acls.

cheers

2

interedlb · ‎03-19-2008

Again thank you for your reply. I reconfigured my ACL and heavily decreased the number of entries.

One more question pls: Each entry in the ACL of subnet 5 should have an "opposite" entry in the ACL of subnet 50?

For example if in ACL-Subnet5 I have the entry: "permit ip host 192.168.5.3 host 192.168.50.8" then in AcL-Subnet50 I should have the entry: "permit ip host 192.168.50.8 host 192.168.5.3"?

Thank you.