Solved: ACL on a 4507R Layer 3 Switch

KEVIN LIVINGSTON · ‎01-25-2010

I need an ACL to permit NTP from my PDC to My ext. time server.

I belive this is how it should work......

access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log

interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in

interf vlan 2

ip add 192.168.2.254/24

desc PDC network

BUT, it doesn't work unless I change the source and destination address around, like so....

access-list 101 permit host (NTP server) host (PDC) eq ntp

Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??

Thanks,

Kevin

Jon Marshall · ‎01-25-2010

kevin.livingston wrote:

I need an ACL to permit NTP from my PDC to My ext. time server.

I belive this is how it should work......

access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log

interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in

interf vlan 2

ip add 192.168.2.254/24

desc PDC network

BUT, it doesn't work unless I change the source and destination address around, like so....

access-list 101 permit host (NTP server) host (PDC) eq ntp

Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??

Thanks,

Kevin

An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.

So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.

By the way, presumably that isn't the full acl ?

Jon

View solution in original post

Ganesh Hariharan · ‎01-25-2010

I need an ACL to permit NTP from my PDC to My ext. time server.
I belive this is how it should work......
access-list 101 permit host (PDC) host (NTP server) eq ntp
access-list 101 deny any any log
interf vlan 100 
 ip add 192.168.1.254/24 
 desc NTP server neetwork
access-g 101 in
interf vlan 2 
ip add 192.168.2.254/24
desc PDC network
BUT, it doesn't work unless I change the source and destination address around, like so....
access-list 101 permit host (NTP server) host (PDC) eq ntp
Because 
I have placed the ACL on the NTPs interface inbound, should the source
IP address be the device requesting the from the NTP server??
Thanks,
Kevin

Kevin,

Jon has given clear concepts of ACL 's and how to apply those into interfaces, just to add with Jon's suggestion apply the acl as per the flow where the source traffic hits the interface.

If ntp server is on vlan 2 and client is on vlan 100 apply acl in in direction on vlan 100 src. client and dst as ntp server.

Hope to help

Ganesh.H

View solution in original post

sachinraja · ‎01-25-2010

Hi Kevin

Note that any data traffic is bidirectional.. i mean when traffic goes from user VLAN to VLAN 100 (admin), it has to come back from admin VLAN to the user VLAN.. (request/response)..

Hence you can restrict reverse traffic on VLAN 100 with appropriate source and destination IP addresses:

access-list 101 permit host (ntp server) eq ntp host (pdc)

access-list 101 deny any any log

The only issue doing this is, that the destination port becomes random , and we need to restrict traffic using source port... and again, you would need to define tons of other ACLs based on the traffic on your Admin VLAN.. eg if ur admin vlan has other servers like SMTP, SNMP, NTP etc, your ACL config will increase !

PDC -------------------> say SNMP

sourceport - random ---> destination port UDP 161

return traffic

sourceport - UDP 161 , dest port random

so, you need to write the correct ACLs to make this work.. easy way is to apply inbound on source interfaces as Jon pointed, which would standardize your config..

Hope this helps.. all the best

Raj

View solution in original post

Jon Marshall · ‎01-25-2010

kevin.livingston wrote:

I need an ACL to permit NTP from my PDC to My ext. time server.

I belive this is how it should work......

access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log

interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in

interf vlan 2

ip add 192.168.2.254/24

desc PDC network

BUT, it doesn't work unless I change the source and destination address around, like so....

access-list 101 permit host (NTP server) host (PDC) eq ntp

Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??

Thanks,

Kevin

An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.

So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.

By the way, presumably that isn't the full acl ?

Jon

KEVIN LIVINGSTON · ‎01-25-2010

jon.marshall wrote:

kevin.livingston wrote:

I need an ACL to permit NTP from my PDC to My ext. time server.

I belive this is how it should work......

access-list 101 permit host (PDC) host (NTP server) eq ntp

access-list 101 deny any any log

interf vlan 100

ip add 192.168.1.254/24

desc NTP server neetwork

access-g 101 in

interf vlan 2

ip add 192.168.2.254/24

desc PDC network

BUT, it doesn't work unless I change the source and destination address around, like so....

access-list 101 permit host (NTP server) host (PDC) eq ntp

Because I have placed the ACL on the NTPs interface inbound, should the source IP address be the device requesting the from the NTP server??

Thanks,

Kevin

An access-list applied inbound to a vlan interface controls traffic coming from clients on that vlan.

An access-list applied outbound to a vlan interface controls traffic going to clients on that vlan.

So your acl should have been applied to int vlan 2 inbound if you wanted to limit traffic from the PDC.

By the way, presumably that isn't the full acl ?

Jon

Jon,

Correct, this is not the full ACL. I continue to stuggle with in and out, Thanks for the quick help.

Ganesh Hariharan · ‎01-25-2010

I need an ACL to permit NTP from my PDC to My ext. time server.
I belive this is how it should work......
access-list 101 permit host (PDC) host (NTP server) eq ntp
access-list 101 deny any any log
interf vlan 100 
 ip add 192.168.1.254/24 
 desc NTP server neetwork
access-g 101 in
interf vlan 2 
ip add 192.168.2.254/24
desc PDC network
BUT, it doesn't work unless I change the source and destination address around, like so....
access-list 101 permit host (NTP server) host (PDC) eq ntp
Because 
I have placed the ACL on the NTPs interface inbound, should the source
IP address be the device requesting the from the NTP server??
Thanks,
Kevin

Kevin,

Jon has given clear concepts of ACL 's and how to apply those into interfaces, just to add with Jon's suggestion apply the acl as per the flow where the source traffic hits the interface.

If ntp server is on vlan 2 and client is on vlan 100 apply acl in in direction on vlan 100 src. client and dst as ntp server.

Hope to help

Ganesh.H

KEVIN LIVINGSTON · ‎01-25-2010

Jon and Ganesh,

Great help!! But.... Here the thing. Vlan 100 is my admin Vlan and vlans 2 - 25 have user host. I need to restrict traffice on the admin vlan to just a few specific host per user vlan (one for NTP, one per vlan for SNMP) that is why I places the ACL on vlan 100. I see now "in" was the wrong dir. Can I control traffic to and from my admin vlan, with out placing ACLs on all the vlan???

Thanks

Kevin

sachinraja · ‎01-25-2010

Hi Kevin

Note that any data traffic is bidirectional.. i mean when traffic goes from user VLAN to VLAN 100 (admin), it has to come back from admin VLAN to the user VLAN.. (request/response)..

Hence you can restrict reverse traffic on VLAN 100 with appropriate source and destination IP addresses:

access-list 101 permit host (ntp server) eq ntp host (pdc)

access-list 101 deny any any log

The only issue doing this is, that the destination port becomes random , and we need to restrict traffic using source port... and again, you would need to define tons of other ACLs based on the traffic on your Admin VLAN.. eg if ur admin vlan has other servers like SMTP, SNMP, NTP etc, your ACL config will increase !

PDC -------------------> say SNMP

sourceport - random ---> destination port UDP 161

return traffic

sourceport - UDP 161 , dest port random

so, you need to write the correct ACLs to make this work.. easy way is to apply inbound on source interfaces as Jon pointed, which would standardize your config..

Hope this helps.. all the best

Raj