Hello community,any

Andrey128 · ‎06-30-2014

Hello community,

the question is following:

|-----------{router}-----------|

small big

network network

I have to allow some traffic flows from small network to big network and visa versa.

For that I can use just one ACL applied on VLAN in IN direction.

Please give some information regarding this: am I reight with my suggestion or should I have two ACLs applied on IN and OUT for the VLAN.

Tagir Temirgaliyev · ‎07-01-2014

in this topology you can use just one ACL applied on VLAN in IN direction

Andrey128 · ‎07-01-2014

Thanks for comment!

Any other/additional information/thoughts ?

nkarthikeyan · ‎07-01-2014

Hi Andrey,

ip access-group acl in means which filters the traffic that enters the interface & out means it filters the traffic that goes out via that interface... the below example shows the exact difference....

Example: Filtering on Source and Destination Addresses and IP Protocols

The following configuration example shows an interface with two access lists, one applied to outgoing packets and one applied to incoming packets. The standard access list named Internet-filter filters outgoing packets on source address. The only packets allowed out the interface must be from source 172.16.3.4.

The extended access list named marketing-group filters incoming packets. The access list permits Telnet packets from any source to network 172.26.0.0 and denies all other TCP packets. It permits any ICMP packets. It denies UDP packets from any source to network 172.26.0 0 on port numbers less than 1024. Finally, the access list denies all other IP packets and performs logging of packets passed or denied by that entry.

interface gigabitethernet 0/0/0
 ip address 172.20.5.1 255.255.255.0
 ip access-group Internet-filter out
 ip access-group marketing-group in
!
ip access-list standard Internet-filter
 permit 172.16.3.4
ip access-list extended marketing-group
 permit tcp any 172.26.0.0 0.0.255.255 eq telnet
 deny tcp any any
 permit icmp any any
 deny udp any 172.26.0.0 0.0.255.255 lt 1024
 deny ip any any

Regards

Karthik

Andrey128 · ‎07-02-2014

Hi Karthik,

ok, thanks for example!

Lets say we have "vlan 20" and interface gigabitethernet 0/0/0 assigned to that vlan. Writing and applying an ACL one should consider IN and OUT relating to a router or relating to an interface to which a certain vlan (in this example vlan 20) was assigned?

paul driver · ‎07-02-2014

Hello

ACLS applied to SVI are as follows:

Acls applied INBOUND = traffic originating from hosts within vlan 10

int vlan 10
ip access-group xx IN (in>out)

Acls applied OUTBOUND = traffic going to hosts in vlan 10

int vlan 10
ip access-group xx OUT (in<out)

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andrey128 · ‎07-02-2014

hello

thanks for information, but my question related to how router will filter traffic by ACL applied for ex. on IN direction for a certain VLAN: will "IN-traffic" be filtered relatively to the router or "IN-traffic" will be filtered relatively to an interface, which was assigned to that VLAN

paul driver · ‎07-02-2014

Hello

Applying an acl to a SVI interface is different than applying it to a physical interface.

On a physical interface the direction is quite straight forward

IN=incoming into the interface ( opening the door and letting IN the traffic)
OUT= outgoing from the interface ( opeing the door and letting OUT the traffic)

On a logical interface such as a SVI:
IN = originating from the VLAN to destination
Out=originating from outside towards the VLAN

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎07-02-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"It depends".

It will depend on what exactly what traffic you want to block. Something like TCP can be effectively blocked in both directions if only physically blocked in one direction but other traffic may need to be physically blocked in both directions.

It might be doable with a single IN or OUT ACL on the SVI, it might require both and IN and OUT ACLs on the SVI, or it might require other ACLs, on another interface (normally its best to block as early as possible).

Andrey128 · ‎07-06-2014

Hello everyone,

sorry for delay.

Here is a concrete example, which I am asking about.

This is the topology with sub-networks:

{small network 10.1.1.0/24}---{L3 switch}-----{big network 192.168.0.0/16}

(as L3 switch WS-C3750X model is used).

The task is:

1) permit all traffic to/from 10.1.1.0/28 addresses
2) permit TCP destination port 5900 from 10.1.1.0/128 addresses to any address in network 192.168.0.0/16
3) permit communication from 192.168.10.0/24 to 10.1.1.0/24

4) deny all other traffic

--------------------------------------------------------------------------

due to security requirements, communication on ports
- TCP 135-139
- UDP 1434

should be blocked for hosts from task 3) and others which may be requested in the future.

------------------------------------------------------------------------

My solution is to write one ACL and apply it on IN direction:

ip access list extended vlan10_filter_in
(config-acl)# permit icmp any any # - for diagnostic purposes allow ICMP

(config-acl)# permit ip any 10.1.1.0 0.0.0.15 # - 1) task
(config-acl)# permit ip 10.1.1.0 0.0.0.15 any

(config-acl)# permit tcp 10.1.1.0 0.0.0.255 any eq 5900 # - 2) task
(config-acl)# permit tcp any eq 5900 10.1.1.0 0.0.0.255

(config-acl)# deny tcp 10.1.1.0 0.0.0.255 any range 135 139 # deny communication on critical ports from small network
(config-acl)# deny tcp any 10.1.1.0 0.0.0.255 range 135 139 # deny connection on critical ports to small network

(config-acl)# deny udp 10.1.1.0 0.0.0.255 any eq 1434 # deny communication on critical ports from small network
(config-acl)# deny udp any 10.1.1.0 0.0.0.255 eq 1434 # deny connection on critical ports to small network

(config-acl)# permit ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255 # - 3) task - allow traffic between networks and filtering communication on critical ports
(config-acl)# permit ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255

(config)#interface vlan 10
(config-if)#ip access-group vlan10_filter_in in

--------------------------------------------------------------------------

The question is: do I need additional ACL for OUT direction?

Small sub-question: is this firewall stateless type?

Andrey128 · ‎07-07-2014

Hello community,

any suggestion related to the topic?

regarding ALCs applied on VLAN interface for IN/OUT directions

Example: Filtering on Source and Destination Addresses and IP Protocols