IOS confusing ACL questions?

Discussion in 'Cisco' started by Michael Letchworth, Jun 14, 2008.

  1. All my question are on a 6500 switch running IOS.

    Can you put an access list on any interface whether it has an IP or not?
    Does it matter is the port is in access or routing mode?

    Another thing that confusses me whether it you apply the acl in or out?
    Lets say I have several vlans but I dont want this particular vlan to
    access another vlan except for port 80. Do I block the all ip except
    port 80 going into my interface or block it going out of the vlan.


    Another problem I have is what if I have a vlan will all my servers on
    and 10 other with workstations and printers. I only want to allow port
    445,135-7 to the servers vlan but I want the servers vlan full ip access
    to the workstations an printers. Do I put the acl on the outbound of the
    servers vlan or the acl on the inbound?


    Last
    What will the IOS with firewall feature give over the standard ios?

    Thanks
     
    Michael Letchworth, Jun 14, 2008
    #1
    1. Advertising

  2. Thank!, few more questions.

    Peter wrote:
    > Hi Michael,
    >
    >> Can you put an access list on any interface whether it has an IP or not?

    >
    > Yes, however be aware that it can depend on what TYPE of ACL you want
    > to use, some are restricted to the mode of use of the interface. EG a
    > MAC ACL (IE 7xx) only works on interfaces in Layer 2 mode (that CANNOT
    > have an IP). However a Layer 3 ACL will work on a Layer 3 interface
    > regardless of it being unnumbered or not.


    So if I have an interface trunking vlans, can I apply an ACL on it?
    Basically I have a 6500 as our core switch that connects all our
    building together then this trunked interface connects to our server
    switch (Exterme). I'd rather keep all the acl's in the cisco.
    >
    >
    >> Does it matter is the port is in access or routing mode?

    >
    > No.
    >
    >> Another thing that confusses me whether it you apply the acl in or out?

    >
    > While either works, the generally accepted practise is to apply an ACL
    > INBOUND on an interface. This means that the CPU/chipset only ever
    > gets to see data that is wanted, and not data that is later dropped.
    > HOWEVER see the following 2 replies!
    >
    >> Lets say I have several vlans but I dont want this particular vlan to
    >> access another vlan except for port 80. Do I block the all ip except
    >> port 80 going into my interface or block it going out of the vlan.

    >
    > If the ACL is to apply to multiple interfaces that are all members of
    > a single VLAN, then put the ACL on the VLAN. Less ACL application
    > points is better than multiple ACL application points.
    >
    >> Another problem I have is what if I have a vlan will all my servers on
    >> and 10 other with workstations and printers. I only want to allow port
    >> 445,135-7 to the servers vlan but I want the servers vlan full ip access
    >> to the workstations an printers. Do I put the acl on the outbound of the
    >> servers vlan or the acl on the inbound?

    >
    > The key here is the part that reads -
    > I only want to allow port 445,135-7 to the servers vlan
    > In this case I would apply the ACL OUTBOUND on the Server VLAN. This
    > ensures all workstation VLANS are handled regardless on which SOURCE
    > VLANS are used. Then you need to ensure this is exactly what you
    > want....;-)


    Just out of curiosity, if a workstation sent a denial of service to the
    servers IP on the servers vlan, would it affect the server? If outbound
    was blocked on the server vlan does that mean that data is allowed into
    the vlan but no return packet?
    >
    >> Last
    >> What will the IOS with firewall feature give over the standard ios?

    >
    > Firewall IOS looks more towards general Network use than pure data
    > packets. IE its rules apply to a particular conversation. It used to
    > be called CBAC - Context Based Access Control, which I thought
    > describes what it does quite well. It applies a set of logical data
    > flow rules around a conversation between 2 points, so it needs to know
    > how specific protocols work. and allows you to provide limitations to
    > that TYPE of traffic to try and ensure that flow is valid and follows
    > expectations. My feeling is that its more designed to catch UNNATURAL
    > or irregular conversations, rather than specific issues as such. I
    > would definitely NOT use Firewall IOS as a full featured Firewall, it
    > is not designed for that.
    >
    > Cheers................pk.
    >
     
    Michael Letchworth, Jun 15, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stevan

    ACL and IOS version questions.

    Stevan, Dec 1, 2003, in forum: Cisco
    Replies:
    3
    Views:
    555
    Walter Roberson
    Dec 1, 2003
  2. Shad T
    Replies:
    0
    Views:
    790
    Shad T
    Jun 29, 2004
  3. Kendal Emery
    Replies:
    5
    Views:
    564
  4. Mike Rahl
    Replies:
    1
    Views:
    1,352
    Trendkill
    May 30, 2007
  5. Simon Hart

    Confusing Test Questions

    Simon Hart, Feb 1, 2006, in forum: MCAD
    Replies:
    0
    Views:
    408
    Simon Hart
    Feb 1, 2006
Loading...

Share This Page