[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ACL Configuration

Posted on 2009-02-16
8
Medium Priority
?
1,890 Views
Last Modified: 2012-05-06
Hi there!

I have to build ACLs to filter outgoing packets to 3 machines, from specific IPs. I have a monitor session set up like this:

Session 2
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi4/4,Gi4/6,Gi4/8-9
Destination Ports      : Gi4/34-35,Gi4/38


I need to set up the ACLs at destination ports, for a bunch of random IP numbers. I made a script to create the ACL lines for each IP, so that's not a problem. The issue is that my IOS version doesn't support interface based extended ACLs (outgoing), only IP and MAC.

Here goes some examples of the ACL lines I've created:
access-list 101 permit ip 172.30.4.54 0.0.0.0 172.19.169.44 0.0.0.0
access-list 101 permit ip 172.30.4.29 0.0.0.0 172.19.169.44 0.0.0.0
access-list 101 permit ip 172.30.4.30 0.0.0.0 172.19.169.44 0.0.0.0

It would work fine if I could set up an outgoing access-group filter with those, but I can't.

Is there any other way around this? I'm kinda new to ACL, so I don't even know if that would be the best configuration.
0
Comment
Question by:cafasdon
  • 4
  • 2
  • 2
8 Comments
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 1000 total points
ID: 23654521
Are you trying to set them on the physical interface or the VLAN interface?

I am guessing that you have a cat6500 and as far as I remember the ports would be in layer 2 mode and dont support layer3/4 ACLs. You should attach the ACL to the vlan interface the the switchport is in or make the layer2 interface a layer3 interface.
0
 

Author Comment

by:cafasdon
ID: 23654779
It is a Cisco 6500 Catalyst indeed. I was trying to add to the physical interface as well.
About attaching it to the VLAN... I have 3 VLANs, associated to 3 subnets respectively:
VLAN 4 - 172.30.4.0/24
VLAN 5 - 172.30.5.0/24
VLAN 6 - 172.30.6.0/24

All 3 subnets are sent to my destination ports on the monitor session. On those 3 ports, I have 3 data loggers that fetch only specific IPs from those subnets (not from one subnet only in particular). However, each monitor port receives ALL 3 subnets, when it should receive just some IPs from each.

That's a little of my topology and what I need to achieve.
If I apply rules to a specific VLAN, I'll have to make one line for each IP to tell where they should go. Of course that's one solution, but I rather try to do something more clean/optimized.

Any ideas on that?
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 1000 total points
ID: 23663176
I am not sure that you can match on specific IPs in a monitor session. I took a quick look on my own 6500 and there wasn´t as far as I could see any IP filtering options. I havnt really look into monitor sessions as I normally just use it for sniffing and then I want everything for a VLAN.

I´ll try and see if I can find anything that might give you what you want but I doubt it as normally the sniffer/collector applies the filter.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
LVL 3

Accepted Solution

by:
MiamiCo earned 1000 total points
ID: 23664080
Hi. I don't understand much about ACL but, as you wrote, If you can't apply extend ACL why you use numbers above 99. Standard ACL nr. are 1 - 99 ; 1300-1999, or not? (extend 100-199 ; 2000-2699)
And maybe than you can set up an outgoing access-group filter with those...

So for standard ACL:
access-list <number 1-99> <permit|deny> <source IP> <mask> log

ip access-group <list number> <in|out>

On one interface you can set only two ACL one for in an one for out. (in is for traffic to the router, out for traffic from router)
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 1000 total points
ID: 23665698
I never said you couldnt apply extended access-lists. I just said that a layer 2 interface dont support layer 3 ACLs.

You are however right that an layer 3 interface only support 2 ACLs, one for ingress and one for egress traffic and on a router interfaces are layer 3 (not counting routers with switch modules) so they support extended ACLs. Also route-maps support extended ACLs and there are many more functions that that support extened ACLs.


And for Cafasdon I remember that you also have VLAN ACLs called VLAN access-map. I havnt used before but it might be what you need to filter traffic to you session traffic. So if your destination ports are layer 3 you might have to make a vlan and dump the session into a VLAN (where you apply the vlan access-map) before taking that VLAN and forward it to the ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

http://ipcnetworking.com/2008/11/how-to-setup-access-list-for-a-cisco-vlan.htm


Let me know if you think you can use it.
0
 
LVL 3

Assisted Solution

by:MiamiCo
MiamiCo earned 1000 total points
ID: 23684338
To Donboo: I don't understand what you mean with layer 2 and layer 3 interface. What is the diference? Router works on LAYER 3 (ISO/OSI), switch on layer 2.
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 1000 total points
ID: 23696475
There is a great deal of difference from layer 2 interface to layer 3 interfaces. A layer 3 switch has by default all its ports in layer 2 mode meaning that you can enable them to layer 3 mode and it acts like a router on that interface. You get a switch to act like a router by making a virtuel layer 3 interface (SVC) an interface vlan.
Since its viruel you can actually have the layer 3 interface VLAN without having the layer 2 on the switch.  

On a router you have a combination of layer 2 and layer 3 interface when using vlan trunking since you dont have vlans on the same way as a switch. You still have virtuel interfaces (sub interfaces) but you add to it an layer 2 property of vlan tagging.

An ACL (in the context we are talking about here) is layer 3 and thus is only supported on layer 3 interfaces.

0
 

Author Comment

by:cafasdon
ID: 23776934
Sorry guys, I'm not working anymore in the company I used to work! So I won't have the opportunity to test this on their servers anymore :/

Thanks anyways for the replies. It hasn't added to the company, but I got more interested in the topic after you guys posted! Cheers!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question