Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

quick acl question

Go to solution
gene.uhl
Level 1
Level 1

‎05-30-2012 10:00 AM - edited ‎03-07-2019 06:59 AM

Just need some verification. Have a net like this

SWITCH with 10.14.180.x and 182.x vlans. It connects via its Gig 0/1 port to rest of main network.

On that gig port is the command: ip access-group HIDE in

In the rest of switch config is an ip access- list extended HIDE. With the following:

Permit ip 10.14.180.0 0.0.0.255 any

Permit ip 10.14.182.0 0.0.0.255 any

Deny tcp any 10.14.0.0 0.0.255.255 eq 139

Deny tcp any 10.14.0.0 0.0.255.255 eq net bios-dgm

Deny tcp any 10.14.0.0 0.0.255.255 eq netbios-ns

Deny tcp any 10.14.0.0 0.0.255.255 eq 445

Permit ip any any

Now to get this right in my head isn't the first to permit commands useless as this is on the gig interface inbound which is traffic from the main network which would have destinations of 10.14.x and not sources of 10.14.x and those first two permit statements are essentially allowing packets with source addresses of 10.14.180 and 182 to come into the gig 0/1 port from the main network which they never will. It would be destinations of those addresses IN to the gig interface.

Or am i screwing this up??

Thanks

Gene

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-30-2012 10:07 AM

Hello Gene,

I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.

To be noted that last permit ip any any allows traffic to those IP subnets and everything else!

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-30-2012 10:07 AM

Hello Gene,

I agree your understanding is correct: if those two IP subnets are downstream the switch on the inbound direction on the core facing interface they should appear only in the destination field.

To be noted that last permit ip any any allows traffic to those IP subnets and everything else!

Hope to help

Giuseppe

0 Helpful

Go to solution
gene.uhl
Level 1
Level 1

‎05-30-2012 10:10 AM

Excellent. That is what I though. A config fro

A previous net eng and I though it looked wrong. And I agree the last permit inherently overrides the implicit deny.

Thank you for the clarification.

Gene

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card