Re: Cisco 871 VLANs / ACLs

Discussion in 'Cisco' started by bod43, Feb 18, 2011.

  1. bod43

    bod43 Guest

    On Thursday, February 17, 2011 8:14:23 PM UTC, Doug McIntyre wrote:
    > Vincent <> writes:


    > > I want to create an ACL that permits ALL traffic
    > >(including return traffic) to transit between Vlan1 and Vlan2 if that
    > >traffic originates in Vlan1. I want NO traffic (except for return
    > >traffic) to transit between Vlan2 and Vlan1. Is there an easy way to
    > >accomplish this?

    >
    > ACL's don't have state. They can't track sessions to say this traffic
    > originated here, and to let it back through.


    hmmm - reflexive ACLs do though:)

    vlan1 >--ALL-unrestricted--> vlan2
    vlan1 <--return-only-------< vlan2

    I would do this - NOT tested all from memory so beware.

    Put a "deny ip any any" access list on vlan2
    Put an inspect out statement on vlan2. This will
    allow return traffic by punching dynamic "holes" in the ACL.


    ip inspect name INS.vlan2inspect tcp
    ip inspect name INS.vlan2inspect udp
    ip inspect name INS.vlan2inspect icmp
    ! might be enough for you but won't allow IPSEC
    ! or active ftp for example.

    int vlan2
    ip access-group ACL.deny-all
    ip inspect INS.vlan2inspect out


    ip access-list extended ACL.deny-all
    10 deny ip any any


    You can also consider reflexive access lists.
    These create "reflected" or mirror image dynamic access
    lists to allow return traffic.

    One inspect gottcha that I recall is that
    ip inspect name XXX http
    blocks java - that is what it does.

    When messing with ACLs that could cut you off from the router
    it's worth considering "reload in 20"/"reload cancel".
    Please don't forget the cancel before the router
    reloads itself - I have and it's not pretty:)
    bod43, Feb 18, 2011
    #1
    1. Advertising

  2. bod43

    Vincent Guest

    On Feb 18, 9:13 am, bod43 <> wrote:
    > On Thursday, February 17, 2011 8:14:23 PM UTC, Doug McIntyre wrote:
    > > Vincent <> writes:
    > > > I want to create an ACL that permits ALL traffic
    > > >(including return traffic) to transit between Vlan1 and Vlan2 if that
    > > >traffic originates in Vlan1.  I want NO traffic (except for return
    > > >traffic) to transit between Vlan2 and Vlan1.  Is there an easy way to
    > > >accomplish this?

    >
    > > ACL's don't have state. They can't track sessions to say this traffic
    > > originated here, and to let it back through.

    >
    > hmmm - reflexive ACLs do though:)
    >
    > vlan1 >--ALL-unrestricted--> vlan2
    > vlan1 <--return-only-------< vlan2
    >
    > I would do this - NOT tested all from memory so beware.
    >
    > Put a "deny ip any any" access list on vlan2
    > Put an inspect out statement on vlan2. This will
    > allow return traffic by punching dynamic "holes" in the ACL.
    >
    > ip inspect name INS.vlan2inspect tcp
    > ip inspect name INS.vlan2inspect udp
    > ip inspect name INS.vlan2inspect icmp
    > ! might be enough for you but won't allow IPSEC
    > ! or active ftp for example.
    >
    > int vlan2
    > ip access-group ACL.deny-all
    > ip inspect INS.vlan2inspect out
    >
    > ip access-list extended ACL.deny-all
    >  10 deny ip any any
    >
    > You can also consider reflexive access lists.
    > These create "reflected" or mirror image dynamic access
    > lists to allow return traffic.
    >
    > One inspect gottcha that I recall is that
    >    ip inspect name XXX http
    > blocks java - that is what it does.
    >
    > When messing with ACLs that could cut you off from the router
    > it's worth considering "reload in 20"/"reload cancel".
    > Please don't forget the cancel before the router
    > reloads itself - I have and it's not pretty:)


    Yes, I was thinking that reflexive ACL's might work. I should have
    some time later this evening to do some experimentation with your
    suggestions. I will let you know how it works out.

    Thanks!
    Vincent, Feb 18, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    555
  2. Kronos

    Cisco 871 SDM Problem

    Kronos, Sep 1, 2005, in forum: Cisco
    Replies:
    2
    Views:
    11,176
    charlie
    Nov 4, 2008
  3. punisher
    Replies:
    2
    Views:
    2,063
    Charles Deling
    Nov 17, 2005
  4. ajdaniels
    Replies:
    1
    Views:
    476
    Klutz
    Jul 17, 2007
  5. Vincent

    Cisco 871 VLANs / ACLs

    Vincent, Feb 17, 2011, in forum: Cisco
    Replies:
    1
    Views:
    869
    Doug McIntyre
    Feb 17, 2011
Loading...

Share This Page