1. Home
  2. Cisco Systems
  3. ACL processing question for my Catalyst 6513

ACL processing question for my Catalyst 6513

I have a small network of about 300 nodes running on our Cat6513. I want verification of my ACL thoughts. Lets say I have an ACL on my Global inbound port (6/48-in) that states permit ip any

192,13.43.0 0.0.0.127.

Now, also in the 6513, I have a vlan (Vlan2). this vlan's IP subnet is 192.13.43.0 0.0.0.127. This Vlan has an ACL on it's inbound port (vlan2-in).

A person tries to connect to 192.13.43.80 over tcp port 53. If

6/48-in has a permit ip any 192.13.43.0 0.0.0.127, But Vlan2-in has a deny tcp any host 192.13.43.80 eq 53, will the packet make it through?

I guess the basic question is - since both ACL's reside in the same router, if the first one permits the traffic, does the traffic 'skip' passed the second ACL?

The boss and I have a free lunch riding on this one!

Reply to
05hammer
Loading thread data ...

Generous provision there!

Those ACLs are badly specced - they don't do what you seem to think they will, but I think that's irrelevant to what you ask below.

Nope. As the packet arrives at the box the inbound ACL decides whether the packet is accepted at all. Once inside the box the routing and switching process (I use the terms loosely) decide which port to send the packet out of. The outbound ACL on that port decides whether the packet is transmitted or not. You also have to remember that, unlike a firewall, ACLs apply to packets, not connections. Packets in both directions for a particular communication have to be explicitly allowed by separate lists (unless you're using reflexive access lists or the firewall feature set, which you can't on a 6513 IIRC).

One of you is going to get a free lunch, but I can't tell which of you it is.

Sam

Reply to
Sam Wilson

Thanks Sam. I get a free lunch. I thought that is how it worked, He thought that since the packet isn't leaving the router, Any other ACL's I have on the vlan inbound connections are useless, only the outbound connections on the vlans are used with the ACL's.

Now, how big of a jerk should I be? McDonalds or Texas Roadhouse? ;-)

Reply to
robert.austin.ctr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.