05-30-2012 10:00 AM - edited 03-07-2019 06:59 AM
Just need some verification. Have a net like this
SWITCH with 10.14.180.x and 182.x vlans. It connects via its Gig 0/1 port to rest of main network.
On that gig port is the command: ip access-group HIDE in
In the rest of switch config is an ip access- list extended HIDE. With the following:
Permit ip 10.14.180.0 0.0.0.255 any
Permit ip 10.14.182.0 0.0.0.255 any
Deny tcp any 10.14.0.0 0.0.255.255 eq 139
Deny tcp any 10.14.0.0 0.0.255.255 eq net bios-dgm
Deny tcp any 10.14.0.0 0.0.255.255 eq netbios-ns
Deny tcp any 10.14.0.0 0.0.255.255 eq 445
Permit ip any any
Now to get this right in my head isn't the first to permit commands useless as this is on the gig interface inbound which is traffic from the main network which would have destinations of 10.14.x and not sources of 10.14.x and those first two permit statements are essentially allowing packets with source addresses of 10.14.180 and 182 to come into the gig 0/1 port from the main network which they never will. It would be destinations of those addresses IN to the gig interface.
Or am i screwing this up??
Thanks
Gene
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
05-30-2012 10:07 AM
Hello Gene,
I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.
To be noted that last permit ip any any allows traffic to those IP subnets and everything else!
Hope to help
Giuseppe
05-30-2012 10:07 AM
Hello Gene,
I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.
To be noted that last permit ip any any allows traffic to those IP subnets and everything else!
Hope to help
Giuseppe
05-30-2012 10:10 AM
Excellent. That is what I though. A config fro
A previous net eng and I though it looked wrong. And I agree the last permit inherently overrides the implicit deny.
Thank you for the clarification.
Gene
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide