access-groups on vlan subinterfaces - packet directions?

Discussion in 'Cisco' started by Tom Hickory, Nov 11, 2003.

  1. Tom Hickory

    Tom Hickory Guest

    Hi,

    I'm setting up some ACLs to prevent spoofed packets passing through our
    router.

    On a normal router port this is easy, because the in and out directions are
    obvious. ie. Anything on an outside port arriving at the port (in) should be
    for our subnet, and anything going out on it should be from our subnet.

    But what about 6500 style sub-interfaces? I've only ever really dealt with
    7200 style sub-interfaces before, and my heads gotten a bit confused. What's
    the description of when traffic is flowing into a vlan, and when it's
    flowing out? I wasn't sure how to craft the ACLs to prevent spoofed IP
    addresses.

    To investigate I placed some "permit ip any any log-input" statements on out
    LANs VLAN and recorded the ACL matches, and it discovered the following.

    * The ingress ACL almost always sees traffic from addresses in the LAN to
    outside addresses. But sometimes the destination isn't always outside the
    LAN. There's a couple of matches to the LANs broadcast address and
    x.y.z.w -> x.y.z.9 (x.y.z.9 is the router IP address). So presumably traffic
    directed at the router has to leave the VLAN? There's also the very
    occasional bit of traffic from the broadcast address to an address on the
    LAN.

    * The egress ACL mostly sees traffic from outside addresses to addresses in
    the LAN . However there's other destination addresses that aren't in the LAN
    and some source addresses that are. Is this traffic meant to be there, or is
    this the spoofed traffic I'm wanting to drop? I'm guessing it _probably_ is,
    but I'm not sure, and I definately don't want to block legimate traffic.

    From the above I'm guessing the config would be something like:

    int vlan 10
    ip access-group in-vl10 in
    ip access-group out-vl10 out

    ip access-group extended in-vl10
    remark Permit traffic to the router from the LAN
    permit ip x.y.z.0/24 host x.y.z.9
    !
    remark Deny traffic directed at the LAN addresses
    deny ip any x.y.z.0/24 log-input
    !
    remark permit Traffic from the LAN to the outside world
    permit ip x.y.z.0/24 any
    !
    remark Deny and log any other traffic
    deny ip any any log-input

    ip access-group extended out-vl10
    remark Deny traffic claiming to have originated in our subnet
    deny ip x.y.z.0/24 any log-input
    !
    remark Only allow traffic from the outside directed at our LAN addresses
    permit ip any x.y.z.0/24
    !
    remark Deny and log any other traffic
    deny ip any any log-input

    Is this correct?

    Sam
     
    Tom Hickory, Nov 11, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. grzesiek

    VLAN and subinterfaces

    grzesiek, Oct 16, 2005, in forum: Cisco
    Replies:
    1
    Views:
    10,791
    Mark Lar
    Oct 17, 2005
  2. Replies:
    1
    Views:
    6,957
    deccax
    Nov 17, 2005
  3. Replies:
    2
    Views:
    7,022
    java321
    Apr 23, 2006
  4. lfnetworking
    Replies:
    3
    Views:
    5,035
    lfnetworking
    Aug 27, 2006
  5. mediumkuriboh
    Replies:
    0
    Views:
    1,601
    mediumkuriboh
    Feb 9, 2009
Loading...

Share This Page