ACL on a 4507R Layer 3 Switch

Answered Question
Jan 25th, 2010
User Badges:

I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because  I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin

Correct Answer by sachinraja about 7 years 6 months ago

Hi Kevin


Note that any data traffic is bidirectional.. i mean when traffic goes from user VLAN to VLAN 100 (admin), it has to come back from admin VLAN to the user VLAN.. (request/response)..


Hence you can restrict reverse traffic on VLAN 100 with appropriate source and destination IP addresses:


access-list 101 permit host (ntp server) eq ntp host (pdc)

access-list 101 deny any any log


The only issue doing this is, that the destination port becomes random , and we need to restrict traffic using source port... and again, you would need to define tons of other ACLs based on the traffic on your Admin VLAN.. eg if ur admin vlan has other servers like SMTP, SNMP, NTP etc, your ACL config will increase !


PDC -------------------> say SNMP

sourceport - random ---> destination port UDP 161

return traffic

sourceport - UDP 161 , dest port random


so, you need to write the correct ACLs to make this work.. easy way is to apply inbound on source interfaces as Jon pointed, which would standardize your config..


Hope this helps.. all the best


Raj

Correct Answer by Ganesh Hariharan about 7 years 6 months ago

I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin


Kevin,


Jon has given  clear  concepts of ACL 's and how to apply those into interfaces, just to add with Jon's suggestion apply the acl as per the flow where the source traffic hits the interface.


If ntp server is on vlan 2 and client is on vlan 100 apply acl in in direction on vlan 100 src. client and dst as ntp server.


Hope to help


Ganesh.H

Correct Answer by Jon Marshall about 7 years 6 months ago

kevin.livingston wrote:


I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because  I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin


Kevin


An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.


So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.


By the way, presumably that isn't the full acl ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 01/25/2010 - 08:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

kevin.livingston wrote:


I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because  I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin


Kevin


An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.


So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.


By the way, presumably that isn't the full acl ?


Jon

KEVIN LIVINGSTON Mon, 01/25/2010 - 08:52
User Badges:

jon.marshall wrote:


kevin.livingston wrote:


I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because  I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin


Kevin


An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.


So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.


By the way, presumably that isn't the full acl ?


Jon

Jon,

     Correct, this is not the full ACL. I continue to stuggle with in and out, Thanks for the quick help.

Correct Answer
Ganesh Hariharan Mon, 01/25/2010 - 08:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I need an ACL to permit NTP from my PDC to My ext. time server.


I belive this is how it should work......


access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log


interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in


interf vlan 2

ip add 192.168.2.254/24

desc PDC network



BUT, it doesn't work unless I change the source and destination address around, like so....


access-list 101 permit host (NTP server) host (PDC) eq ntp


Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??



Thanks,

Kevin


Kevin,


Jon has given  clear  concepts of ACL 's and how to apply those into interfaces, just to add with Jon's suggestion apply the acl as per the flow where the source traffic hits the interface.


If ntp server is on vlan 2 and client is on vlan 100 apply acl in in direction on vlan 100 src. client and dst as ntp server.


Hope to help


Ganesh.H

KEVIN LIVINGSTON Mon, 01/25/2010 - 09:16
User Badges:

Jon and Ganesh,

          Great help!! But.... Here the thing. Vlan 100 is my admin  Vlan and vlans 2 - 25 have user host. I need to restrict traffice on the admin vlan to just a few specific host per user vlan (one for NTP, one per vlan for SNMP) that is why I places the ACL on vlan 100. I see now "in" was the wrong dir. Can I control traffic to and from my admin vlan, with out placing ACLs on all the vlan???


Thanks


Kevin

Correct Answer
sachinraja Mon, 01/25/2010 - 09:28
User Badges:
  • Red, 2250 points or more

Hi Kevin


Note that any data traffic is bidirectional.. i mean when traffic goes from user VLAN to VLAN 100 (admin), it has to come back from admin VLAN to the user VLAN.. (request/response)..


Hence you can restrict reverse traffic on VLAN 100 with appropriate source and destination IP addresses:


access-list 101 permit host (ntp server) eq ntp host (pdc)

access-list 101 deny any any log


The only issue doing this is, that the destination port becomes random , and we need to restrict traffic using source port... and again, you would need to define tons of other ACLs based on the traffic on your Admin VLAN.. eg if ur admin vlan has other servers like SMTP, SNMP, NTP etc, your ACL config will increase !


PDC -------------------> say SNMP

sourceport - random ---> destination port UDP 161

return traffic

sourceport - UDP 161 , dest port random


so, you need to write the correct ACLs to make this work.. easy way is to apply inbound on source interfaces as Jon pointed, which would standardize your config..


Hope this helps.. all the best


Raj

Actions

This Discussion