10-06-2017 06:32 AM - edited 03-08-2019 12:17 PM
Dear Community,
I would like some clarity regarding an ACL i have created on a L3 switch.
For example i have a Mobile network which is subnet 10.3.12.0/24
This network only needs to access mailserver and Internet, rest off traffic needs to be blocked
Extended IP access list Mobile-Isolation
1 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq telnet
2 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq 22
3 deny tcp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq 161
4 deny udp 10.3.12.0 0.0.0.255 host 10.3.12.1 eq snmp
10 deny ip 127.0.0.0 0.255.255.255 any
20 deny ip 169.254.0.0 0.0.255.255 any (1586 matches)
30 deny ip 172.16.0.0 0.0.255.255 any
40 deny ip 10.3.12.0 0.0.0.255 172.16.0.0 0.0.255.255
50 deny ip 10.3.12.0 0.0.0.255 10.3.3.0 0.0.0.255
60 deny ip 10.3.12.0 0.0.0.255 10.3.4.0 0.0.0.255
70 deny ip 10.3.12.0 0.0.0.255 10.3.5.0 0.0.0.255
80 deny ip 10.3.12.0 0.0.0.255 10.3.10.0 0.0.0.255
90 deny ip 10.3.12.0 0.0.0.255 10.3.11.0 0.0.0.255
100 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq smtp
110 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 587
120 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 465
130 permit tcp 10.3.12.0 0.0.0.255 host 192.168.0.12 eq 443
140 deny ip 10.3.12.0 0.0.0.255 192.168.0.0 0.0.255.255 (881 matches)
150 permit ip any any (693081 matches)
This ACL is applied IN to the SVI
My question:
Does an ACL block in 2 direction? Why, because if i block 10.3.3.0 (line 50) this works. The ping gets timed-out.
Is a OUT direction needed in this case?
Kind regards,
Christophe
10-06-2017 08:19 AM
Hello christophe,
"Does an ACL block in 2 direction? Why, because if i block 10.3.3.0 (line 50) this works. The ping gets timed-out."
No. Only Statefull Firewalls blocks traffic in both direction. ACL is stateless and need to be permit both direction.
Is a OUT direction needed in this case?
Yes.
10-17-2017 04:21 AM
10-17-2017 09:08 AM
You can create an ACL (IN/OUT) allowing only traffic you want. Then, all the rest will be denied. There´s an implicit Deny on the bottom of all ACL.
-If I helped you somehow, please, rate it as useful.-
10-06-2017 08:48 AM
Hi,
When you apply an ACL in "in"direction of an SVI, it only blocks traffic coming to that SVI (ingress traffic). To block outbound traffic, you need ACL in the "out" direction.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide