Hi! I got a 2621 XM router which was configured with multiple subinterfaces. eg.10.71.9.x(fa0/0.1) , 10.71.10.x(fa0/0.2), 10.71.11.x(fa0/0.3) , 10.71.12.x(fa0/0.4) and etc
I'm new to acl. My question is that.
If i want to enable access for 10.71.9.100 to all the vlans + the rest of the .9 hosts can only access .9 and .12 vlan.
10.71.10.68 can only access the .10 vlan and .12 vlan + only .10 hosts, .12 hosts and 10.71.9.100 can access 10.71.10.68, the rest of the subnets are not able to access 10.71.10.68. As for the .10 hosts, they can only access .12 and .10 vlan.
How should i configure the acl and whether is it inbound or outbound?
Think of logical interfaces just like physical interfaces when applying access-lists. As a general best practice when applying extended access-lists try to apply them as close to the source as possible. In your case this means that we have to apply the access-lists inbound on the respective sub-interfaces. I will try to map out the ACLs as per your requirements:
1) For your 10.71.9.x hosts the ACL will look something like:
access-list 100 permit ip host 10.71.9.100 any
access-list 100 permit ip 10.71.9.0 0.0.0.255 10.71.12.0 0.0.0.255
access-list 100 deny ip any any (just for informational reasons; there is an implicit deny at the end of all access-lists by default)
ip access-group 100 in
2) For your 10.71.10.x subnet:
access-list 110 permit ip host 10.71.10.68 host 10.71.9.100 (this will allow 10.71.10.68 to initiate connections to 10.71.9.100. If you want to change this behavior we need to add something in access-list 100)
access-list 110 permit ip 10.71.10.0 0.0.0.255 10.71.12.0 0.0.0.255
access-list 110 deny ip any any (just for informational reasons; there is an implicit deny at the end of all access-lists by default)
If you apply it on the outbound then the source and destination addresses will change. For example if you wanted to apply the access-list to Fa0/0.1 outbound then your source addresses will be from other VLANs and destination addresses will be for VLAN corresponding to 10.71.9.x subnet. This will work but it is less optimal as you will be doing filtering close to the destination rather than the source. It does not make much difference in your case as everything is on the same router but for large networks it is recommended to filter close to the source if you are using extended access-lists.
If you want only the 10.71.9.100 host to be able to initiate connections to 10.71.10.68 and not the other way around then you have to use a keyword established but it only works for TCP. I believe it looks for the presence of the ACK flag in the TCP packets.
access-list 110 permit tcp host 10.71.10.68 host 10.71.9.100 eq established
I mentioned adding it to 100 earlier but the way these ACLs are being used you will have to do it on the 110. Again these are examples only so please use them for understanding the concepts and test everything in a lab environment before implementing it in production.
Hi! If i understand you correctly you are saying for
Inbound-->, the source will always be 10.71.9.x in that case
Outbound--> the source will always be vlan other than 10.71.9.x.(eg. .10, .11, .12 and etc)
Is this Inbound/outbound concept above a practice? I meant if i'm using inbound the source will always be the vlan from that subinterface itself and if i'm using outbound the source will be vlan other then the "original vlan"(eg. .9 for fa0/0.1)?
Yes, i would like to have the host 10.71.9.100 to initiate the access to 10.71.10.68 and not the other way round. So, i just have to add the command
"access-list 110 permit tcp host 10.71.10.68 host 10.71.9.100 eq established" inbound to the .10 sub interface?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...