Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Edge switchport ACLs, Confused

So my question is does a ACL need to define permit access to the gateway of the network.

Example ACL configured on the edge port on a 10.0.0.0/24 network.

Gateway of the network is 10.0.0.1

Host of the network is 10.0.0.200

Host only needs access to tcp/80 on 192.168.1.200

Edge switchport acl would say:

ip access-list extended Edge_ACL

    permit tcp host 10.0.0.200 host 192.168.1.200 eq www
    deny ip any any log

Question is do I need to make it look like this:

ip access-list extended Edge_ACL

    permit ip host 10.0.0.200 host 10.0.0.1

    permit tcp host 10.0.0.200 host 192.168.1.200 eq www
    deny ip any any log

Thanks,

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Edge switchport ACLs, Confused

Chris

You've managed to confuse me as well and I have just edited my previous reply because i was wrong.

You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.

When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.

Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Edge switchport ACLs, Confused

Chris

What do you mean by edge port ? Do you mean the actual port connected to the PC or something else ?

Generally acls are applied on L3 vlan interfaces on a switch to control traffic between vlans. If you do it on the physical port then you need to explicitly allow everything you want. So if your original acl was applied on port inbound the 10.0.0.200 wouldn't be able to talk to anything ie.

1) it can't talk to 192.168.1.200 because it can't get to it's default gateway  <--- this is wrong so please ignore

2) it can't even talk to other 10.0.0.x hosts in the same vlan

What is it that you are trying to achieve ?

Jon

Edge switchport ACLs, Confused

Jon,

I am looking at edge ports facing computers, be it a guest or company asset. The example above would be a guest computer talking to an resource internally for example.

We are implementing ISE and I just confused the crap out of myself with the way I should be writing downloadable ACLs.

Thanks,

Chris         

Hall of Fame Super Blue

Re: Edge switchport ACLs, Confused

Chris

You've managed to confuse me as well and I have just edited my previous reply because i was wrong.

You do not need to allow traffic to the default gateway because that is never the destination IP of the packet. So your first acl would work. It still would block all other traffic including traffic to other 10.0.0.x hosts but it would allow the traffic to the web server.

When the PC wants to talk the web server it arps out for the gateway mac address (or uses it if it is in the arp table) and then sends the packet with a destination IP of the web server which is allowed in your acl. So no need to add the default gateway to the acl.

Apologies for the misleading info, sometimes i amaze even myself with how stupid i can be

Jon

Re: Edge switchport ACLs, Confused

That is what happend to me on my drive to work. I confused the crap out of myself.

Thanks for clarifying it makes perfect since.

Chris

229
Views
0
Helpful
4
Replies