Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

quick acl question

Just need some verification. Have a net like this

SWITCH with 10.14.180.x and 182.x vlans. It connects via its Gig 0/1 port to rest of main network.

On that gig port is the command: ip access-group HIDE in

In the rest of switch config is an ip access- list extended HIDE. With the following:

Permit ip 10.14.180.0 0.0.0.255 any

Permit ip 10.14.182.0 0.0.0.255 any

Deny tcp any 10.14.0.0 0.0.255.255 eq 139

Deny tcp any 10.14.0.0 0.0.255.255 eq net bios-dgm

Deny tcp any 10.14.0.0 0.0.255.255 eq netbios-ns

Deny tcp any 10.14.0.0 0.0.255.255 eq 445

Permit ip any any

Now to get this right in my head isn't the first to permit commands useless as this is on the gig interface inbound which is traffic from the main network which would have destinations of 10.14.x and not sources of 10.14.x and those first two permit statements are essentially allowing packets with source addresses of 10.14.180 and 182 to come into the gig 0/1 port from the main network which they never will. It would be destinations of those addresses IN to the gig interface.

Or am i screwing this up??

Thanks

Gene

Sent from Cisco Technical Support iPhone App

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: quick acl question

Hello Gene,

I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.

To be noted that last permit ip any any allows traffic to those IP subnets and everything else!

Hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: quick acl question

Hello Gene,

I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.

To be noted that last permit ip any any allows traffic to those IP subnets and everything else!

Hope to help

Giuseppe

New Member

Re: quick acl question

Excellent. That is what I though. A config fro

A previous net eng and I though it looked wrong. And I agree the last permit inherently overrides the implicit deny.

Thank you for the clarification.

Gene

Sent from Cisco Technical Support iPhone App

143
Views
0
Helpful
2
Replies
CreatePlease login to create content