Solved

Access lists on secondary addresses

Posted on 2004-09-21
8
392 Views
Last Modified: 2010-04-17
How do access lists apply to secondary addressed interfaces? For eg:

--------------------------------
int f0/0
ip add 10.3.3.1 255.255.255.0
ip add 10.4.4.1 255.255.255.0 secondary
ip access-group 100 out

access-list 100 permit 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
access-list 100 deny ip any any (I know it's explicit but put it in anyways)
--------------------------------


Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?
0
Comment
Question by:billwharton
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12113783
ACLs are applied to INTERFACES, not addresses. An interface can have, as you've noted, multiple IP addresses, but that doesn't change how ACLs are applied.
0
 
LVL 11

Author Comment

by:billwharton
ID: 12113879
Can you look at my configuration example again and answer the concluding question:

Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 12113958
The access-group applies to the whole interface, not just one address.  However, you're correct that extended access lists can specify the source address, so it's possible to achieve the results you want.

That said, your access list above doesn't appear to do what you want, and is arguably applied in the wrong direction.

It's permitting packets from 10.3.3.x to 10.4.4.x, but not return traffic from those packets.

My recommendation:

access-list 100 permit tcp established
access-list 100 permit icmp 10.4.4.0 0.0.0.255 10.3.3.0 0.0.0.255 echo-reply
<here permit any UDP services that need to deliver replies from 10.4.4.x to 10.3.3.x>
access-list 100 deny ip 10.4.4.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip any any

int f0/0
 ip access-group 100 in

The "established" allows TCP connections initiated from 10.3.3.x to 10.4.4.x.  (Attempts to initiate sessions in the other direction will be blocked at the second-last line.)

Applying the access-group to the inbound direction means that packets get filtered before they get routed, which saves some router CPU effort.  The sooner you filter out blocked traffic, the less resources get wasted  handling it.

NOTE:  Secondary addresses are on the same physical network as the primary address.  So anybody whose machine has a 10.4.4.x address can get full access to 10.3.3.x machines simply by changing their IP address to a static 10.3.3.x address.  So the security that this access-list buys you will be extremely brittle.


0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12113979
"Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to 10.3.3.0 ?"

A: Depends on how the host on 10.4.4.0 is configured. Because 10.3.3.0 and 10.4.4.0 evidently exist on the same physical subnet, it could be possible (barring the use of VLANs) to  change the subnetting of a 10.4.4.0 host so that it would not go to the router interface when trying to reach the 10.3.3.0 net. If that were done, any ACL would be immaterial - the 10.4.4.0 host could so whatever it wanted with respect to 10.3.3.0.

The point here is that if you are trying to enhance the security of your environment, this is NOT the way to do it, at least not without VLAN support and enforcement of IP configuration on the hosts.

However, assuming that the 10.4.4.0 hosts are subnetting properly or otherwise forced to use 10.4.4.1 to talk outside of their network/VLAN, then yes, my understanding of how ACLs work tells me your ACL should prevent hosts on 10.4.4.0 from being able to talk to those on 10.3.3.0 (or pretty much anywhere else). Note that this is fairly absolutel - even if a host on 10.3.3.0 sent a packet to a host on 10.4.4.0, the target host could not reply to the sender.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 34

Expert Comment

by:PsiCop
ID: 12113991
I think PennGwyn and I are saying the same thing, just differently.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114393
I think Bill is looking for theoretical application, rather than a critique of the chosen subnets or the overall validity of the config or is there is a better way...

>Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?

Short answer: I don't think so. As PennGwyn mentioned, it is applied in the wrong direction. It should be applied "IN" as a packet enters the physical interface, since it won't really exit back "through" the interface.

Easy enough to test. Apply it "out" as you have it and try it. Use "show access-list" to see the increasing hit counts one way or the other. If you ping a host, both the permit acl line and the deny acl line should increase the same number of packets. If you can succesfully ping, and there are no hits on either acl line, then reverse the direction to "in" and try again. This time, I'd bet lunch that you won't get a successful ping, and that both lines will increment counters.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114405
>I'd bet lunch
On the condition that the hosts pinging and pinged are set up correctly with the appropriate class C mask, and gateway setting correct....
0
 
LVL 11

Author Comment

by:billwharton
ID: 12115509
Everybody, excellent answers. However,  PennGwyn's fell in the sweet spot.

Everytime I post something in here, I get more than I asked for.
lrmoore, I'd love to try that out once I get my lab.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now