ACLs, Loopbacks & choosing where to put them

Greenmet29Greenmet29 Posts: 240Member
So i've been studyin ACLs for the past couple nights. The first night I was studying via a remote connection so I didn't have physical access to my lab. No problem, I thought, until I started trying to apply the ACLs to loopback interfaces. Long story short (really not that long of a story) If I applied the ACL to the interface coming into the router it worked, but if I applied it to the loopback (either direction) it wouldn't. Is there a reason for this or is it just something I have to live with?

My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?

TIA!

Comments

  • onesaintonesaint Posts: 801Member
    Greenmet29 wrote: »
    My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?

    Standard ACLs should be placed closest to the destination (i.e., outbound int of router closest to destination). The reason for this is to allow other possible traffic from the subnet/host you are trying to filter (e.g., want to deny traffic to one subnet, but permit it to another).

    I think what Odom is trying to demonstrate is that you should place the ACL closest to the destination (in agreement with you). Odom notes placing the ACL on the outbound interface of the router closest to the source means the traffic has to be routed through that interface (S0/0) in order to be reviewed by the ACL. So, if the ACL is on int s0/0 and a better route if found through int S0/1, then the packets won't ever be reviewed by the ACL (which is on int S0/0) as they won't be routed through that interface.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • apr911apr911 Posts: 379Member ■■■■□□□□□□
    For testing purposes, dont know that Cisco really cares how the ACLs are applied just as long as they are applied in the correct manner to do what is asked.

    Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.

    I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.
    Currently Working On: Openstack
    2017 Goals: MCSE Refresh, CCDP & CCIE:Security
  • Greenmet29Greenmet29 Posts: 240Member
    Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:
    int e0
    ip access-group 150 in 
    
    access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80
    access-list 150 permit ip any any
    

    and then have another ACL on R3, something to the effect of:
    int e0
    ip access-group 150 in
    
    access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21
    access-list 150 permit ip any any
    

    The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things icon_silent.gif
  • Greenmet29Greenmet29 Posts: 240Member
    apr911 wrote: »
    Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.

    I don't understand this... if I put a standard acl on the outbound int closest to the host, how is there any possibility that it would be allowed through? I can see if you said "Personally, I disagree with using outbound ACLs on the interface closest to the source".
    apr911 wrote: »
    I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.

    I think you're speaking of extended ACLs.. In the OP I was referring to standard ACLs. If I put a standard ACL incoming on the int closest to the source, it would deny that host of everything that is out that interface.
  • Greenmet29Greenmet29 Posts: 240Member
    Greenmet29 wrote: »
    Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:
    int e0
    ip access-group 150 in 
    
    access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80
    access-list 150 permit ip any any
    

    and then have another ACL on R3, something to the effect of:
    int e0
    ip access-group 150 in
    
    access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21
    access-list 150 permit ip any any
    

    The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things icon_silent.gif

    Maybe I'll read the next page before posting next time :D
Sign In or Register to comment.