Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

acl question

Hi! I;m trying to configure acl in 2 x 4506 sw running hsrp. Below are the vlans created and i'm trying to apply some acl rules into the vlan interfaces based on the remarks i stated in each vlan. Need someone to verfiy whether my concept of acl in a L3 sw is correct. Thanks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group In)

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)

access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255 log (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255 log (ip access-group out)

Vlan 20 (Finance vlan) - only office and svr vlan can access the finance vlan + finance vlan can only access svr and office vlan
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255 log (IP Access-group In)
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group Out)
access-list 104 permit ip 172.16.15.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group Out)


vlan 60 (server vlan) - 172.16.15.10 can only be accessed by office and finance vlan + all the other host in vlan 60 can be access by all the vlans+svr vlan can access all the vlans
access-list 105 permit ip 172.16.15.0 0.0.0.255 any log (IP Access-group In)
access-list 105 deny ip 172.16.12.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 105 deny ip 172.16.13.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 105 deny ip 172.16.14.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 106 permit ip any 172.16.15.0 0.0.0.0.255 log (IP Access-group Out)


vlan 30 (Management vlan) - can only access by svr vlan and vice versa
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 108 permit ip 172.16.15.0 0.0.0.255 172.16.12.0 0.0.0.255 log (Ip access-group out)


vlan 40 (Prod1 vlan) - can only access by svr vlan and vice versa
access-list 109 permit ip 172.16.13.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 110 permit ip 172.16.15.0 0.0.0.255 172.16.13.0 0.0.0.255 log (IP Access-group Out)


vlan 50 (Prod1 vlan) - can only access by svr vlan and vice versa
access-list 111 permit ip 172.16.14.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 112 permit ip 172.16.15.0 0.0.0.255 172.16.14.0 0.0.0.255 log (IP Access-group Out)

  • LAN Switching and Routing
11 REPLIES
Hall of Fame Super Silver

Re: acl question

Hello Dkblee,

the ACLs are correct but I would not use the log option on permit statement you can add a last statement

deny ip any any log

you should take care only of attempts to access resources, packets and flows matching the permit statements are not so important

this is to avoid to have the log buffer and syslog flooded by messages of permitted flows little interest in this.

There are also performance aspects to be considered the log option forces traffic to be process switched so it has to be avoided in permit statements in a multilayer switch.

Note also that you could apply only one ACL  for example in the inbound direction to achieve your objectives : it is enough to stop one direction to block communications between IP subnets.

ACL inbound applied on the SVI has source address = source address of that vlan

these inbound ACLs can act also as anti spoofing security measure.

We apply ACLs only inbound and in some special cases the outbound ACL is used to refine the control.

Edit:

Important note:

you need to allow HSRP messages or other routing protocol messages or they will be blocked causing an active/active scenario

you can use

permit udp source-subnet 0.0.0.255 host 224.0.0.2 eq 1985

HSRP uses UDP port 1985 and all routers in subnet 224.0.0.2 as destination

for OSPF

permit ospf source-subnet 0.0.0.255 host 224.0.0.5

permit ospf source-subnet 0.0.0.0.255 host 224.0.0.6

and so on

but the best choice is to make passive all client vlans = never used by routing protocols

a dedicated vlan for routing can be used

Hope to help

Giuseppe

New Member

Re: acl question

hi!

which meant in the Eg1 below, my objective will still be achieved without acl 101 and 104?

As for Eg2. below, shd the denied src and dest be the other way round? i meant 172.16.15.10 as a src rather than a dest +applied as OUT instead of IN?

What need to be added in the management vlan (vlan30) below if i want to be able to ping all the vlans from vlan 30? pls give vlan 10 as an eg of one of the dest.

Another question is that with the acl i configured, can i ping or access any resources within the vlan30 subnet itself?

Thks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Eg1

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 (IP Access-group In)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255  (ip access-group out)



Vlan 20 (Finance vlan) - only office and svr vlan can access the finance vlan + finance vlan can only access svr and office vlan
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group In)
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255  (IP Access-group Out)
access-list 104 permit ip 172.16.15.0 0.0.0.255 172.16.11.0 0.0.0.255  (IP Access-group Out)

Eg2


vlan 60 (server vlan) - 172.16.15.10 can only be accessed by office and finance vlan + all the other host in vlan 60 can be access by all the vlans+svr vlan can access all the vlans
access-list 105 permit ip 172.16.15.0 0.0.0.255 any (IP Access-group In)

access-list 106 deny ip 172.16.12.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 deny ip 172.16.13.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 deny ip 172.16.14.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 permit ip any 172.16.15.0 0.0.0.0.255  (IP Access-group Out)


vlan 30 (Management vlan) - can only access by svr vlan and vice versa
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 108 permit ip 172.16.15.0 0.0.0.255 172.16.12.0 0.0.0.255  (Ip access-group out)

Re: acl question

which meant in the Eg1 below, my objective will still be achieved without acl 101 and 104?

As for Eg2. below, shd the denied src and dest be the other way round? i meant 172.16.15.10 as a src rather than a dest +applied as OUT instead of IN?

What need to be added in the management vlan (vlan30) below if i want to be able to ping all the vlans from vlan 30? pls give vlan 10 as an eg of one of the dest.

Another question is that with the acl i configured, can i ping or access any resources within the vlan30 subnet itself?

Thks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Eg1

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 (IP Access-group In)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255  (ip access-group out)


Hi,

As Giuseppe suggested and basic thumb rule for appling the acl in in bound direction and near to the source,I will just take an example for one rule so that you can deploy for other department.

vlan 10 172.16.10.x/24 Office vlan

vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)
int vlan svr (vlan 60)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255(ip access-group in)
int vlan fin (vlan 20)
access-list 102 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255(ip access-group in)
With the above example you can easily deploy the acl with in direction to wards the required destination and can restrict at the start.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

Re: acl question

Dear Ganesh,

                 Your ACLs are absolutely fine except the one below

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)


                   Shouldn't the above ACL be applied outbound direction?

                    Because, i can interpret the above statement as,

                    do permit any ip traffic which is

                    ----> sourced from my subnet/Officevlan10/svi (172.16.10.0),

                    ----> destined to  finance vlan20  (172.16.11.0),

                    ----> "while this traffic is entering in to my  VLAN".

it should have rather been  "while it is exiting out of my VLAN".

Please note :

If you are very desparate in applying this satement  "inbound", you could very well place your statement under the SVI VLAN20

int vlan 20

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Happy networking !!!

Rgds,

Narendrakumar B

Remember to rate the helpful post!!

Re: acl question

Dear Ganesh,

                 Your ACLs are absolutely fine except the one below

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)


                   Shouldn't the above ACL be applied outbound direction?

                    Because, i can interpret the above statement as,

                    do permit any ip traffic which is

                    ----> sourced from my subnet/Officevlan10/svi (172.16.10.0),

                    ----> destined to  finance vlan20  (172.16.11.0),

                    ----> "while this traffic is entering in to my  VLAN".

it should have rather been  "while it is exiting out of my VLAN".

Please note :

If you are very desparate in applying this satement  "inbound", you could very well place your statement under the SVI VLAN20

int vlan 20

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Happy networking !!!

Rgds,

Narendrakumar B

Remember to rate the helpful post!!

Hi Narendrakumar,

If you see my previous post example vlan 20 is having a subnet of 172.16.11.x/24 Finance vlan and as per the requiremnet office vlan subnet to talk to finance subnet.Office vlan subnet is vlan 10 172.16.10.x/24 Office vlan, so if you say to apply the acl in int vlan 20 with source of office vlan 172.16.10.0 with access group in interface vlan 20, Better recommendation says apply acl from where the traffic is genrated.

Hope to Help !!

Ganesh.H

New Member

Re: acl question

hi! thanks for the comments, any advise

on my other questions listed? thanks for the help.

Regards,

David Lee

Re: acl question

Dear Ganesh,

          I totally agree with you that it is recommended to apply an extended acl from where the traffic is genrated.Because the traffic should not travel a long distance to know that it is getting denied .

          Hence, I agree with you that we are going to place the statement under "int vlan 10" only.

          But my confusion is applying it INBOUND or OUTBOUND. You have applied it inbound (match when the traffic is coming in). Shouldnt that be applied outbound (match when the traffic is going out).

your Statement :

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Shouldn't the above ACL be applied outbound direction? as follows

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group out)

          Please correct me if I'm wrong.

          I would greatly appreciate you, if you can let me know if there is any difference between the above statements in this scenario.

          I totally understand how the inbound and outbound statements work when applied under a physical interface. But I'm struck here with my understanding, since we are applying the statement under an SVI.

          In short, my question is, "Does ACL statements makes no difference on how it is going to function, when applied under an SVI (like int vlan 10), irrespective of the direction they are being applied."?

Thanks 4 ur time n Happy Networking !!!

Rgds,

Narendrakumar B

Re: acl question

Dear Ganesh,

          I totally agree with you that it is recommended to apply an extended acl from where the traffic is genrated.Because the traffic should not travel a long distance to know that it is getting denied .

          Hence, I agree with you that we are going to place the statement under "int vlan 10" only.

          But my confusion is applying it INBOUND or OUTBOUND. You have applied it inbound (match when the traffic is coming in). Shouldnt that be applied outbound (match when the traffic is going out).

your Statement :

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Shouldn't the above ACL be applied outbound direction? as follows

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group out)

          Please correct me if I'm wrong.

          I would greatly appreciate you, if you can let me know if there is any difference between the above statements in this scenario.

          I totally understand how the inbound and outbound statements work when applied under a physical interface. But I'm struck here with my understanding, since we are applying the statement under an SVI.

          In short, my question is, "Does ACL statements makes no difference on how it is going to function, when applied under an SVI (like int vlan 10), irrespective of the direction they are being applied."?

Thanks 4 ur time n Happy Networking !!!

Rgds,

Narendrakumar B

Hi Narendrakumar,

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or the vlan machines for which the traffic will be coming.In short if an access-list applied outbound direction to a vlan interface filters traffic going TO machines on that vlan and An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Now for your query if we apply the acl in outbound direction on vlan interface 10 as per the requirement vlan 10 traffic needs to talk to vlan 11 traffic that why i have asked to place the acl in direction on vlan 10,If you apply that acl in out direction source ip address is itself is the vlan address subnet in this acl will not work.

Hope to clear your query !!

Ganesh.H

Re: acl question

Dear Ganesh,

               Thankyou very much for your clarification. And your post is rated !!! Cheerz!!!!

Happy Networking!!!!!

Rgds

Narendrakumar B

455
Views
13
Helpful
11
Replies