Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
4
Helpful
5
Replies

ACL question

dkblee
Level 1
Level 1

‎05-09-2006 07:15 AM - edited ‎03-03-2019 03:08 AM

Hi! I got a 2621 XM router which was configured with multiple subinterfaces. eg.10.71.9.x(fa0/0.1) , 10.71.10.x(fa0/0.2), 10.71.11.x(fa0/0.3) , 10.71.12.x(fa0/0.4) and etc

I'm new to acl. My question is that.

Q1)

If i want to enable access for 10.71.9.100 to all the vlans + the rest of the .9 hosts can only access .9 and .12 vlan.

Q2)

10.71.10.68 can only access the .10 vlan and .12 vlan + only .10 hosts, .12 hosts and 10.71.9.100 can access 10.71.10.68, the rest of the subnets are not able to access 10.71.10.68. As for the .10 hosts, they can only access .12 and .10 vlan.

How should i configure the acl and whether is it inbound or outbound?

Thks!

Labels:
0 Helpful
5 Replies 5

atif.awan
Level 3
Level 3

‎05-09-2006 08:24 AM

Think of logical interfaces just like physical interfaces when applying access-lists. As a general best practice when applying extended access-lists try to apply them as close to the source as possible. In your case this means that we have to apply the access-lists inbound on the respective sub-interfaces. I will try to map out the ACLs as per your requirements:

1) For your 10.71.9.x hosts the ACL will look something like:

access-list 100 permit ip host 10.71.9.100 any

access-list 100 permit ip 10.71.9.0 0.0.0.255 10.71.12.0 0.0.0.255

access-list 100 deny ip any any (just for informational reasons; there is an implicit deny at the end of all access-lists by default)

interface Fa0/0.1

ip access-group 100 in

2) For your 10.71.10.x subnet:

access-list 110 permit ip host 10.71.10.68 host 10.71.9.100 (this will allow 10.71.10.68 to initiate connections to 10.71.9.100. If you want to change this behavior we need to add something in access-list 100)

access-list 110 permit ip 10.71.10.0 0.0.0.255 10.71.12.0 0.0.0.255

access-list 110 deny ip any any (just for informational reasons; there is an implicit deny at the end of all access-lists by default)

Interface Fa0/0.2

ip access-group 110 in

This was just an example you can build on.

dkblee
Level 1
Level 1
In response to atif.awan

‎05-09-2006 09:08 AM

Hi! Thks, for the reply. Why do we need to apply this ACL on the inbound and not outbound? What different will this make? Just a discussion, can i apply it outbound instead?

What do you mean by " If you want to change this behavior we need to add something in access-list 100) "? Can you give an example for that?

Thks!

0 Helpful

atif.awan
Level 3
Level 3
In response to dkblee

‎05-09-2006 09:14 AM

If you apply it on the outbound then the source and destination addresses will change. For example if you wanted to apply the access-list to Fa0/0.1 outbound then your source addresses will be from other VLANs and destination addresses will be for VLAN corresponding to 10.71.9.x subnet. This will work but it is less optimal as you will be doing filtering close to the destination rather than the source. It does not make much difference in your case as everything is on the same router but for large networks it is recommended to filter close to the source if you are using extended access-lists.

If you want only the 10.71.9.100 host to be able to initiate connections to 10.71.10.68 and not the other way around then you have to use a keyword established but it only works for TCP. I believe it looks for the presence of the ACK flag in the TCP packets.

access-list 110 permit tcp host 10.71.10.68 host 10.71.9.100 eq established

I mentioned adding it to 100 earlier but the way these ACLs are being used you will have to do it on the 110. Again these are examples only so please use them for understanding the concepts and test everything in a lab environment before implementing it in production.

0 Helpful

dkblee
Level 1
Level 1
In response to atif.awan

‎05-09-2006 09:38 AM

Hi! If i understand you correctly you are saying for

For fa0/0.1

===========

Inbound-->, the source will always be 10.71.9.x in that case

Outbound--> the source will always be vlan other than 10.71.9.x.(eg. .10, .11, .12 and etc)

Is this Inbound/outbound concept above a practice? I meant if i'm using inbound the source will always be the vlan from that subinterface itself and if i'm using outbound the source will be vlan other then the "original vlan"(eg. .9 for fa0/0.1)?

Yes, i would like to have the host 10.71.9.100 to initiate the access to 10.71.10.68 and not the other way round. So, i just have to add the command

"access-list 110 permit tcp host 10.71.10.68 host 10.71.9.100 eq established" inbound to the .10 sub interface?

Thks!

0 Helpful

atif.awan
Level 3
Level 3
In response to dkblee

‎05-09-2006 09:56 AM

That is correct. Like I said in my first post think of logical interfaces as physical interfaces when applying access-lists.

All your other comments are correct also. Slight mistake on my part on the ACL line. It should not have the 'eq' keyword, so the correct statement will be:

access-list 110 permit tcp host 10.71.10.68 host 10.71.9.100 established

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents