ACL processing question for my Catalyst 6513

Discussion in 'Cisco' started by 05hammer, Feb 23, 2009.

  1. 05hammer

    05hammer Guest

    I have a small network of about 300 nodes running on our
    Cat6513. I want verification of my ACL thoughts. Lets say I have an
    ACL on my Global inbound port (6/48-in) that states permit ip any
    192,13.43.0 0.0.0.127.

    Now, also in the 6513, I have a vlan (Vlan2). this vlan's IP
    subnet is 192.13.43.0 0.0.0.127. This Vlan has an ACL on it's inbound
    port (vlan2-in).

    A person tries to connect to 192.13.43.80 over tcp port 53. If
    6/48-in has a permit ip any 192.13.43.0 0.0.0.127, But Vlan2-in has a
    deny tcp any host 192.13.43.80 eq 53, will the packet make it through?

    I guess the basic question is - since both ACL's reside in the
    same router, if the first one permits the traffic, does the traffic
    'skip' passed the second ACL?

    The boss and I have a free lunch riding on this one!
     
    05hammer, Feb 23, 2009
    #1
    1. Advertising

  2. 05hammer

    Sam Wilson Guest

    In article
    <>,
    05hammer <> wrote:

    > I have a small network of about 300 nodes running on our
    > Cat6513. ...


    Generous provision there!

    > ... I want verification of my ACL thoughts. Lets say I have an
    > ACL on my Global inbound port (6/48-in) that states permit ip any
    >.
    >
    > Now, also in the 6513, I have a vlan (Vlan2). this vlan's IP
    > subnet is 192.13.43.0 0.0.0.127. This Vlan has an ACL on it's inbound
    > port (vlan2-in).
    >
    > A person tries to connect to 192.13.43.80 over tcp port 53. If
    > 6/48-in has a permit ip any 192.13.43.0 0.0.0.127, But Vlan2-in has a
    > deny tcp any host 192.13.43.80 eq 53, will the packet make it through?


    Those ACLs are badly specced - they don't do what you seem to think they
    will, but I think that's irrelevant to what you ask below.

    > I guess the basic question is - since both ACL's reside in the
    > same router, if the first one permits the traffic, does the traffic
    > 'skip' passed the second ACL?


    Nope. As the packet arrives at the box the inbound ACL decides whether
    the packet is accepted at all. Once inside the box the routing and
    switching process (I use the terms loosely) decide which port to send
    the packet out of. The outbound ACL on that port decides whether the
    packet is transmitted or not. You also have to remember that, unlike a
    firewall, ACLs apply to packets, not connections. Packets in both
    directions for a particular communication have to be explicitly allowed
    by separate lists (unless you're using reflexive access lists or the
    firewall feature set, which you can't on a 6513 IIRC).

    > The boss and I have a free lunch riding on this one!


    One of you is going to get a free lunch, but I can't tell which of you
    it is.

    Sam
     
    Sam Wilson, Feb 23, 2009
    #2
    1. Advertising

  3. 05hammer

    Guest

    On Feb 23, 11:22 am, Sam Wilson <> wrote:
    > In article
    > <>,
    >
    >  05hammer <> wrote:
    > >      I have a small network of about 300 nodes running on our
    > > Cat6513.  ...

    >
    > Generous provision there!
    >
    > > ... I want verification of my ACL thoughts.  Lets say I have an
    > > ACL on my Global inbound port (6/48-in) that states permit ip any
    > >.

    >
    > >      Now, also in the 6513, I have a vlan (Vlan2).  this vlan's IP
    > > subnet is 192.13.43.0 0.0.0.127.  This Vlan has an ACL on it's inbound
    > > port (vlan2-in).

    >
    > >      A person tries to connect to 192.13.43.80 over tcp port 53.  If
    > > 6/48-in has a permit ip any 192.13.43.0 0.0.0.127, But Vlan2-in has a
    > > deny tcp any host 192.13.43.80 eq 53, will the packet make it through?

    >
    > Those ACLs are badly specced - they don't do what you seem to think they
    > will, but I think that's irrelevant to what you ask below.
    >
    > >     I guess the basic question is - since both ACL's reside in the
    > > same router, if the first one permits the traffic, does the traffic
    > > 'skip' passed the second ACL?

    >
    > Nope.  As the packet arrives at the box the inbound ACL decides whether
    > the packet is accepted at all.  Once inside the box the routing and
    > switching process (I use the terms loosely) decide which port to send
    > the packet out of.  The outbound ACL on that port decides whether the
    > packet is transmitted or not.  You also have to remember that, unlike a
    > firewall, ACLs apply to packets, not connections.  Packets in both
    > directions for a particular communication have to be explicitly allowed
    > by separate lists (unless you're using reflexive access lists or the
    > firewall feature set, which you can't on a 6513 IIRC).
    >
    > > The boss and I have a free lunch riding on this one!

    >
    > One of you is going to get a free lunch, but I can't tell which of you
    > it is.
    >
    > Sam


    Thanks Sam. I get a free lunch. I thought that is how it worked, He
    thought that since the packet isn't leaving the router, Any other
    ACL's I have on the vlan inbound connections are useless, only the
    outbound connections on the vlans are used with the ACL's.

    Now, how big of a jerk should I be? McDonalds or Texas Roadhouse? ;-)
     
    , Feb 23, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    957
  2. RJ45

    problem with ACL processing

    RJ45, Dec 21, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,125
    Barry Margolin
    Dec 22, 2004
  3. Mike Henley

    Post-Processing RAW vs Post-Processing TIFF

    Mike Henley, Nov 22, 2004, in forum: Digital Photography
    Replies:
    42
    Views:
    1,686
    Dave Martindale
    Jan 30, 2005
  4. Replies:
    0
    Views:
    392
  5. Giuen
    Replies:
    0
    Views:
    1,011
    Giuen
    Sep 12, 2008
Loading...

Share This Page