IOS confusing ACL questions?

All my question are on a 6500 switch running IOS.

Can you put an access list on any interface whether it has an IP or not? Does it matter is the port is in access or routing mode?

Another thing that confusses me whether it you apply the acl in or out? Lets say I have several vlans but I dont want this particular vlan to access another vlan except for port 80. Do I block the all ip except port 80 going into my interface or block it going out of the vlan.

Another problem I have is what if I have a vlan will all my servers on and 10 other with workstations and printers. I only want to allow port

445,135-7 to the servers vlan but I want the servers vlan full ip access to the workstations an printers. Do I put the acl on the outbound of the servers vlan or the acl on the inbound?

Last What will the IOS with firewall feature give over the standard ios?

Thanks

Reply to
Michael Letchworth
Loading thread data ...

Hi Michael,

Yes, however be aware that it can depend on what TYPE of ACL you want to use, some are restricted to the mode of use of the interface. EG a MAC ACL (IE 7xx) only works on interfaces in Layer 2 mode (that CANNOT have an IP). However a Layer 3 ACL will work on a Layer 3 interface regardless of it being unnumbered or not.

No.

While either works, the generally accepted practise is to apply an ACL INBOUND on an interface. This means that the CPU/chipset only ever gets to see data that is wanted, and not data that is later dropped. HOWEVER see the following 2 replies!

If the ACL is to apply to multiple interfaces that are all members of a single VLAN, then put the ACL on the VLAN. Less ACL application points is better than multiple ACL application points.

The key here is the part that reads - I only want to allow port 445,135-7 to the servers vlan In this case I would apply the ACL OUTBOUND on the Server VLAN. This ensures all workstation VLANS are handled regardless on which SOURCE VLANS are used. Then you need to ensure this is exactly what you want....;-)

Firewall IOS looks more towards general Network use than pure data packets. IE its rules apply to a particular conversation. It used to be called CBAC - Context Based Access Control, which I thought describes what it does quite well. It applies a set of logical data flow rules around a conversation between 2 points, so it needs to know how specific protocols work. and allows you to provide limitations to that TYPE of traffic to try and ensure that flow is valid and follows expectations. My feeling is that its more designed to catch UNNATURAL or irregular conversations, rather than specific issues as such. I would definitely NOT use Firewall IOS as a full featured Firewall, it is not designed for that.

Cheers................pk.

Reply to
Peter

So if I have an interface trunking vlans, can I apply an ACL on it? Basically I have a 6500 as our core switch that connects all our building together then this trunked interface connects to our server switch (Exterme). I'd rather keep all the acl's in the cisco.

Just out of curiosity, if a workstation sent a denial of service to the servers IP on the servers vlan, would it affect the server? If outbound was blocked on the server vlan does that mean that data is allowed into the vlan but no return packet?

Reply to
Michael Letchworth

Hi Michael,

I have never applied an ACL to a trunk, so I can't quantitively reply, however as a trunk can be built as either a Layer 2 or layer 3 trunk, I would assume you could apply an appropriate ACL to that interface. Personally, I would prefer to place an ACL at the Physical (Layer 2) level rather than at the Logical (Layer 3) Level for most of the larger Switch environments (such as a 6500), the H/W is setup to handle most ACL's which is faster/more efficient than procesing it in S/W.

As a comparison we use 6500's at each site feeding 3650's for the workstations. We place most ACL's are on the 6500 interfaces or VLAN's, while MOST (but not all) lower level stuff like QoS for VoIP is on the 3650's.

Try prefering to lace ACL's on the devices that can apply your ACL's IN HARDWARE, rather than in Software. The 3650's and 6500 Port cards are generally better at doing this than other devices.

Yes, this is not a good scenario. Generally, you are much better off killing bad traffic BEFORE it reaches the inbound port and requires further Network processing, than doing it at the Outbound stage.

Cheers.....................pk.

Reply to
Peter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.