Solved: Re: question about the direction of ACL , in or out?

dannan lin · ‎11-20-2011

hi:

i have a question about the direction of Access list.

i wanna to control the traffic between vlans. below is the topology.

there are three vlans :

vlan 10 :10.10.10.0/24

vlan 20: 20.20.20.0/24

vlan 30 30.30.30.0/24

their IP addressed are acquired via dhcp.

i wished to block traffic between vlan 10 and vlan 20 and allow vlan 30 to visit both vlan 10 and 20.

here is the acl detail:

!

access-list 101 deny tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 permit udp any eq bootpc any

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 in

!

above configuration works but i do not understand why. because the source address in ACL is 20.20.20.0 , the destination is 10.10.10.0 or 30.30.30.0

thus the direction is supposed to be "out" right ?

but if i put "out" in f0/0.2 , the above command didn't work, it simply block all traffics to 20.20.20.0 /24

can anyone help me out here.

thanks in advance.

darren.g · ‎11-20-2011

dannan lin wrote:

hi:

i have a question about the direction of Access list.

i wanna to control the traffic between vlans. below is the topology.

there are three vlans :

vlan 10 :10.10.10.0/24

vlan 20: 20.20.20.0/24

vlan 30 30.30.30.0/24

their IP addressed are acquired via dhcp.

i wished to block traffic between vlan 10 and vlan 20 and allow vlan 30 to visit both vlan 10 and 20.

here is the acl detail:

!

access-list 101 deny tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 permit udp any eq bootpc any

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 in

!

above configuration works but i do not understand why. because the source address in ACL is 20.20.20.0 , the destination is 10.10.10.0 or 30.30.30.0

thus the direction is supposed to be "out" right ?

but if i put "out" in f0/0.2 , the above command didn't work, it simply block all traffics to 20.20.20.0 /24

can anyone help me out here.

thanks in advance.

The "in" in the access-group command refers to traffic coming IN to the interface - I.E. traffic from any node with an address in VLAN2, hitting the interface f0/0.2 (I.E. hitting the default router) and heading elsewhere.

So, what your access list is doing is prohibiting nodes in the 20.20.20.0/24 network from accessing the 10.10.10.0/24 network with any TCP protocol, permitting nodes in 20.20.20.0/24 to nodes in 30.30.30.0/24 on any IP protocol, and allowing the UDP bootp protocol so go anywhere. There is an implicit deny any any at the end of your list, so *only* those conditions will be allowed - anything else will be blocked. Remember, you're only controlling traffic which ORIGINATES (I.E. not ack or return data packets) in the 20.20.20.0/24 network with these commands - if you want to stop the other VLAN's, you have to apply an access list to them also.

Also, when writing access lists, it's best to put your broader statements first, and narrow them down as you progress through the list - this is because packets are processed line by line, and once they hit a matching access-list statement there is no further processing - so I'd write your access list to look like this

access-list 101 permit udp eq bootpc any

access-list 101 permit ip 20.20.20.20 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 deny 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

To actually do what you want, you need an access list on each VLAN interface - because you're only blocking traffic originating in VLAN20 at this point.

Apologies for any slips - it's been a long time since I played with access lists on routers - most of what I do is on firewalls now.

Cheers.

View solution in original post

cadet alain · ‎11-21-2011

Hi Darren,

remember, the access-list doesn't affect ACK or return packets, because they're in an existing flow

ACLs are stateless so they only care about packet headers infos not about the state of the flow except if you use the established keyword or reflexive ACL but even in these cases the router is not really making a state table, in former case it is looking for a flag in TCP header and in latter it is opening a hole by configuring a temporary ACL for return traffic.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

darren.g · ‎11-20-2011

dannan lin wrote:

hi:

i have a question about the direction of Access list.

i wanna to control the traffic between vlans. below is the topology.

there are three vlans :

vlan 10 :10.10.10.0/24

vlan 20: 20.20.20.0/24

vlan 30 30.30.30.0/24

their IP addressed are acquired via dhcp.

i wished to block traffic between vlan 10 and vlan 20 and allow vlan 30 to visit both vlan 10 and 20.

here is the acl detail:

!

access-list 101 deny tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 permit udp any eq bootpc any

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 in

!

above configuration works but i do not understand why. because the source address in ACL is 20.20.20.0 , the destination is 10.10.10.0 or 30.30.30.0

thus the direction is supposed to be "out" right ?

but if i put "out" in f0/0.2 , the above command didn't work, it simply block all traffics to 20.20.20.0 /24

can anyone help me out here.

thanks in advance.

The "in" in the access-group command refers to traffic coming IN to the interface - I.E. traffic from any node with an address in VLAN2, hitting the interface f0/0.2 (I.E. hitting the default router) and heading elsewhere.

So, what your access list is doing is prohibiting nodes in the 20.20.20.0/24 network from accessing the 10.10.10.0/24 network with any TCP protocol, permitting nodes in 20.20.20.0/24 to nodes in 30.30.30.0/24 on any IP protocol, and allowing the UDP bootp protocol so go anywhere. There is an implicit deny any any at the end of your list, so *only* those conditions will be allowed - anything else will be blocked. Remember, you're only controlling traffic which ORIGINATES (I.E. not ack or return data packets) in the 20.20.20.0/24 network with these commands - if you want to stop the other VLAN's, you have to apply an access list to them also.

Also, when writing access lists, it's best to put your broader statements first, and narrow them down as you progress through the list - this is because packets are processed line by line, and once they hit a matching access-list statement there is no further processing - so I'd write your access list to look like this

access-list 101 permit udp eq bootpc any

access-list 101 permit ip 20.20.20.20 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 deny 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

To actually do what you want, you need an access list on each VLAN interface - because you're only blocking traffic originating in VLAN20 at this point.

Apologies for any slips - it's been a long time since I played with access lists on routers - most of what I do is on firewalls now.

Cheers.

dannan lin · ‎11-21-2011

hi darren, thanks for your help.

i am still not so sure when to use "in" or "out"

the terms "in" means information flows into the router,and "out" means traffic goes out of the router don't they ?

so in my case

permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

20.20.20.0/24 is the source network address and 30.30.30.0/24 is the destination network address.

from this point it is obvious "out" relationship, because i configured at f0/0.2 interface which is the gateway of 20.20.20.0/24 network .. i cannot have information originated from the router and coming back to that router .

it doesn't make much sense.

below i have drawn a "in" "out" map (from 20 network to 30 network) based on my understanding. correct me if i am wrong.

it goes like

switch f0/4-(out)-------------------------(in)--> router f0/0.2 -(out)--------------(in)->router f0/0.3---(out)----------------(in)-> swf0/4

int f0/0.2 can not have "in" relationship in my opinion , because the command i used was

permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

20.20.20.0 is the source and destination is 30.30.30.0. it must be "out"

please help me on this, i have been thinking this for days.

Krishnendu AR · ‎11-20-2011

Even Im curious to know why the below commands not working:

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 out

Krishna

smitesh kharecha · ‎11-20-2011

Hi,

If you want to usse OUT, then it needs to be placed at switch below the router.

HTH,

Smitesh

darren.g · ‎11-20-2011

Krishnendu AR wrote:

Even Im curious to know why the below commands not working:

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 out

Krishna

Because that would affect commands going OUT from the f0/0.2 interface.

In other words, you'd be blocking traffic with a source address of 20.20.20.0/24 from going out of the interface to the network 20.20.20.0/24 - which is pretty pointless, because you're not going to be originating traffic from the router (remember, the access-list doesn't affect ACK or return packets, because they're in an existing flow) with an address in the 20.20.20.0/24 network - unless you were connected to the router and running a PING or something using the 20.20.20.20 address from the SVI as the source of the PING.

Cheers.

Krishnendu AR · ‎11-20-2011

Hi Darren,

access-list 101 deny tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255

access-list 101 permit udp any eq bootpc any

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 101 out

This should block all the traffic from 20.x.x.x subnet to 10.x.x.x which passes outbound of FastEthernet0/0.2 ?

Krishna

cadet alain · ‎11-21-2011

Hi,

traffic going in this interface has a src IP in the 20 network and traffig going out has a dst IP in the 20 network.

So when the router parses your ACL from top to bottom:

-first line = no match

-second line = no match

-3rd line = match if this is a DHCP offer or DHCP ack going out to 20 network

-4th line = match ( implicit deny all) so traffic from 10 or 30 network will be denied

Regards.

Alain

Don't forget to rate helpful posts.

cadet alain · ‎11-21-2011

Hi Darren,

remember, the access-list doesn't affect ACK or return packets, because they're in an existing flow

ACLs are stateless so they only care about packet headers infos not about the state of the flow except if you use the established keyword or reflexive ACL but even in these cases the router is not really making a state table, in former case it is looking for a flag in TCP header and in latter it is opening a hole by configuring a temporary ACL for return traffic.

Regards.

Alain

Don't forget to rate helpful posts.

dannan lin · ‎11-21-2011

thank you guys , but are there any shorcuts to determine "in" and "out" ?

also i want to make sure i understand "in" and "out" correctly.

"in" means traffic comming into the interface from router's perspective.

"out" means traffic leaving the router.

they are decided by the TCP header information.

below is a packet tracer screen-shot showing in-layer and out-layer information.

but are there any shorcuts to determine "in" and "out" rather than check TCP header????

please forgive my stupidity。

Thotsaphon Lueangwattanaphong · ‎11-21-2011

Hello,

What do you want to do? It showes as ICMP. That's why it didn't hit any rules (deny by default).

1. Think as your body is a router

2. Think as your arms are interfaces.

The direction in or out is considered from your body(point of view).

HTH,

Toshi

dannan lin · ‎11-21-2011

hi: thotsaphon,

thanks, i relasised my mistake now.

but i have another question

i have redone my experiment.

access-list 1 deny 20.20.20.0 0.0.0.255

access-list 1 deny 30.30.30.0 0.0.0.255

access-list 1 permit any

access-list 2 deny 30.30.30.0 0.0.0.255

access-list 2 deny 10.10.10.0 0.0.0.255

access-list 2 permit any

access-list 3 deny 10.10.10.0 0.0.0.255

access-list 3 deny 20.20.20.0 0.0.0.255

access-list 3 permit any

interface FastEthernet0/0.1

encapsulation dot1Q 10

ip address 10.10.10.10 255.255.255.0

ip access-group 1 out

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 20.20.20.20 255.255.255.0

ip access-group 2 out

!

interface FastEthernet0/0.3

encapsulation dot1Q 30

ip address 30.30.30.30 255.255.255.0

ip access-group 3 out

!

I wanted to block vlans from communicating eash other.

the above configuration is not gonna work if I use "in", is there any simple explaination ?

thanks in advance

Thotsaphon Lueangwattanaphong · ‎11-21-2011

Hi,

Okay I got your point. You need to know how standard access-list works. It's all about source ip address. You have to think how packets flow in/out the router. To let you know how it works. I will let you get it done.

!

access-list 2 deny 30.30.30.0 0.0.0.255

!

It means that deny packets sourced from 30.30.30.0/24 network.

Cheers,

Toshi

darren.g · ‎11-21-2011

cadet alain wrote:
Hi Darren,
remember, the access-list doesn't affect ACK or return packets, because they're in an existing flow
ACLs are stateless so they only care about packet  headers infos not about the state of the flow except if you use the established keyword or reflexive ACL but even in these cases the router is not really making a state table, in former case it is looking for a flag in TCP header and in latter it is opening a hole by configuring a temporary ACL for return traffic.
Regards.
Alain

Like I said, it's been a long time since I did access lists on routers - most of the stuff I do these days is on firewalls, where state matters.

Back in my box now.. :-)