Solved

Access lists on secondary addresses

Posted on 2004-09-21
8
434 Views
Last Modified: 2010-04-17
How do access lists apply to secondary addressed interfaces? For eg:

--------------------------------
int f0/0
ip add 10.3.3.1 255.255.255.0
ip add 10.4.4.1 255.255.255.0 secondary
ip access-group 100 out

access-list 100 permit 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
access-list 100 deny ip any any (I know it's explicit but put it in anyways)
--------------------------------


Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?
0
Comment
Question by:billwharton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12113783
ACLs are applied to INTERFACES, not addresses. An interface can have, as you've noted, multiple IP addresses, but that doesn't change how ACLs are applied.
0
 
LVL 11

Author Comment

by:billwharton
ID: 12113879
Can you look at my configuration example again and answer the concluding question:

Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 12113958
The access-group applies to the whole interface, not just one address.  However, you're correct that extended access lists can specify the source address, so it's possible to achieve the results you want.

That said, your access list above doesn't appear to do what you want, and is arguably applied in the wrong direction.

It's permitting packets from 10.3.3.x to 10.4.4.x, but not return traffic from those packets.

My recommendation:

access-list 100 permit tcp established
access-list 100 permit icmp 10.4.4.0 0.0.0.255 10.3.3.0 0.0.0.255 echo-reply
<here permit any UDP services that need to deliver replies from 10.4.4.x to 10.3.3.x>
access-list 100 deny ip 10.4.4.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 100 permit ip any any

int f0/0
 ip access-group 100 in

The "established" allows TCP connections initiated from 10.3.3.x to 10.4.4.x.  (Attempts to initiate sessions in the other direction will be blocked at the second-last line.)

Applying the access-group to the inbound direction means that packets get filtered before they get routed, which saves some router CPU effort.  The sooner you filter out blocked traffic, the less resources get wasted  handling it.

NOTE:  Secondary addresses are on the same physical network as the primary address.  So anybody whose machine has a 10.4.4.x address can get full access to 10.3.3.x machines simply by changing their IP address to a static 10.3.3.x address.  So the security that this access-list buys you will be extremely brittle.


0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 34

Expert Comment

by:PsiCop
ID: 12113979
"Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to 10.3.3.0 ?"

A: Depends on how the host on 10.4.4.0 is configured. Because 10.3.3.0 and 10.4.4.0 evidently exist on the same physical subnet, it could be possible (barring the use of VLANs) to  change the subnetting of a 10.4.4.0 host so that it would not go to the router interface when trying to reach the 10.3.3.0 net. If that were done, any ACL would be immaterial - the 10.4.4.0 host could so whatever it wanted with respect to 10.3.3.0.

The point here is that if you are trying to enhance the security of your environment, this is NOT the way to do it, at least not without VLAN support and enforcement of IP configuration on the hosts.

However, assuming that the 10.4.4.0 hosts are subnetting properly or otherwise forced to use 10.4.4.1 to talk outside of their network/VLAN, then yes, my understanding of how ACLs work tells me your ACL should prevent hosts on 10.4.4.0 from being able to talk to those on 10.3.3.0 (or pretty much anywhere else). Note that this is fairly absolutel - even if a host on 10.3.3.0 sent a packet to a host on 10.4.4.0, the target host could not reply to the sender.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12113991
I think PennGwyn and I are saying the same thing, just differently.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114393
I think Bill is looking for theoretical application, rather than a critique of the chosen subnets or the overall validity of the config or is there is a better way...

>Q: Would this achieve the desired result? Would 10.4.4.0 be denied access to
10.3.3.0 ?

Short answer: I don't think so. As PennGwyn mentioned, it is applied in the wrong direction. It should be applied "IN" as a packet enters the physical interface, since it won't really exit back "through" the interface.

Easy enough to test. Apply it "out" as you have it and try it. Use "show access-list" to see the increasing hit counts one way or the other. If you ping a host, both the permit acl line and the deny acl line should increase the same number of packets. If you can succesfully ping, and there are no hits on either acl line, then reverse the direction to "in" and try again. This time, I'd bet lunch that you won't get a successful ping, and that both lines will increment counters.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114405
>I'd bet lunch
On the condition that the hosts pinging and pinged are set up correctly with the appropriate class C mask, and gateway setting correct....
0
 
LVL 11

Author Comment

by:billwharton
ID: 12115509
Everybody, excellent answers. However,  PennGwyn's fell in the sweet spot.

Everytime I post something in here, I get more than I asked for.
lrmoore, I'd love to try that out once I get my lab.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question