We help IT Professionals succeed at work.

ACL Configuration

Medium Priority
1,907 Views
Last Modified: 2012-05-06
Hi there!

I have to build ACLs to filter outgoing packets to 3 machines, from specific IPs. I have a monitor session set up like this:

Session 2
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi4/4,Gi4/6,Gi4/8-9
Destination Ports      : Gi4/34-35,Gi4/38


I need to set up the ACLs at destination ports, for a bunch of random IP numbers. I made a script to create the ACL lines for each IP, so that's not a problem. The issue is that my IOS version doesn't support interface based extended ACLs (outgoing), only IP and MAC.

Here goes some examples of the ACL lines I've created:
access-list 101 permit ip 172.30.4.54 0.0.0.0 172.19.169.44 0.0.0.0
access-list 101 permit ip 172.30.4.29 0.0.0.0 172.19.169.44 0.0.0.0
access-list 101 permit ip 172.30.4.30 0.0.0.0 172.19.169.44 0.0.0.0

It would work fine if I could set up an outgoing access-group filter with those, but I can't.

Is there any other way around this? I'm kinda new to ACL, so I don't even know if that would be the best configuration.
Comment
Watch Question

Commented:
Are you trying to set them on the physical interface or the VLAN interface?

I am guessing that you have a cat6500 and as far as I remember the ports would be in layer 2 mode and dont support layer3/4 ACLs. You should attach the ACL to the vlan interface the the switchport is in or make the layer2 interface a layer3 interface.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
It is a Cisco 6500 Catalyst indeed. I was trying to add to the physical interface as well.
About attaching it to the VLAN... I have 3 VLANs, associated to 3 subnets respectively:
VLAN 4 - 172.30.4.0/24
VLAN 5 - 172.30.5.0/24
VLAN 6 - 172.30.6.0/24

All 3 subnets are sent to my destination ports on the monitor session. On those 3 ports, I have 3 data loggers that fetch only specific IPs from those subnets (not from one subnet only in particular). However, each monitor port receives ALL 3 subnets, when it should receive just some IPs from each.

That's a little of my topology and what I need to achieve.
If I apply rules to a specific VLAN, I'll have to make one line for each IP to tell where they should go. Of course that's one solution, but I rather try to do something more clean/optimized.

Any ideas on that?
Commented:
I am not sure that you can match on specific IPs in a monitor session. I took a quick look on my own 6500 and there wasn´t as far as I could see any IP filtering options. I havnt really look into monitor sessions as I normally just use it for sniffing and then I want everything for a VLAN.

I´ll try and see if I can find anything that might give you what you want but I doubt it as normally the sniffer/collector applies the filter.
Hi. I don't understand much about ACL but, as you wrote, If you can't apply extend ACL why you use numbers above 99. Standard ACL nr. are 1 - 99 ; 1300-1999, or not? (extend 100-199 ; 2000-2699)
And maybe than you can set up an outgoing access-group filter with those...

So for standard ACL:
access-list <number 1-99> <permit|deny> <source IP> <mask> log

ip access-group <list number> <in|out>

On one interface you can set only two ACL one for in an one for out. (in is for traffic to the router, out for traffic from router)
Commented:
I never said you couldnt apply extended access-lists. I just said that a layer 2 interface dont support layer 3 ACLs.

You are however right that an layer 3 interface only support 2 ACLs, one for ingress and one for egress traffic and on a router interfaces are layer 3 (not counting routers with switch modules) so they support extended ACLs. Also route-maps support extended ACLs and there are many more functions that that support extened ACLs.


And for Cafasdon I remember that you also have VLAN ACLs called VLAN access-map. I havnt used before but it might be what you need to filter traffic to you session traffic. So if your destination ports are layer 3 you might have to make a vlan and dump the session into a VLAN (where you apply the vlan access-map) before taking that VLAN and forward it to the ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

http://ipcnetworking.com/2008/11/how-to-setup-access-list-for-a-cisco-vlan.htm


Let me know if you think you can use it.
To Donboo: I don't understand what you mean with layer 2 and layer 3 interface. What is the diference? Router works on LAYER 3 (ISO/OSI), switch on layer 2.
Commented:
There is a great deal of difference from layer 2 interface to layer 3 interfaces. A layer 3 switch has by default all its ports in layer 2 mode meaning that you can enable them to layer 3 mode and it acts like a router on that interface. You get a switch to act like a router by making a virtuel layer 3 interface (SVC) an interface vlan.
Since its viruel you can actually have the layer 3 interface VLAN without having the layer 2 on the switch.  

On a router you have a combination of layer 2 and layer 3 interface when using vlan trunking since you dont have vlans on the same way as a switch. You still have virtuel interfaces (sub interfaces) but you add to it an layer 2 property of vlan tagging.

An ACL (in the context we are talking about here) is layer 3 and thus is only supported on layer 3 interfaces.

Author

Commented:
Sorry guys, I'm not working anymore in the company I used to work! So I won't have the opportunity to test this on their servers anymore :/

Thanks anyways for the replies. It hasn't added to the company, but I got more interested in the topic after you guys posted! Cheers!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.