ACLs, Loopbacks & choosing where to put them

So i've been studyin ACLs for the past couple nights. The first night I was studying via a remote connection so I didn't have physical access to my lab. No problem, I thought, until I started trying to apply the ACLs to loopback interfaces. Long story short (really not that long of a story) If I applied the ACL to the interface coming into the router it worked, but if I applied it to the loopback (either direction) it wouldn't. Is there a reason for this or is it just something I have to live with?

My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?

TIA!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

onesaint

Greenmet29 wrote: »

My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?

Standard ACLs should be placed closest to the destination (i.e., outbound int of router closest to destination). The reason for this is to allow other possible traffic from the subnet/host you are trying to filter (e.g., want to deny traffic to one subnet, but permit it to another).

I think what Odom is trying to demonstrate is that you should place the ACL closest to the destination (in agreement with you). Odom notes placing the ACL on the outbound interface of the router closest to the source means the traffic has to be routed through that interface (S0/0) in order to be reviewed by the ACL. So, if the ACL is on int s0/0 and a better route if found through int S0/1, then the packets won't ever be reviewed by the ACL (which is on int S0/0) as they won't be routed through that interface.

apr911

For testing purposes, dont know that Cisco really cares how the ACLs are applied just as long as they are applied in the correct manner to do what is asked.

Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.

I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.

Greenmet29

Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:

int e0
ip access-group 150 in 

access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80
access-list 150 permit ip any any

and then have another ACL on R3, something to the effect of:

int e0
ip access-group 150 in

access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21
access-list 150 permit ip any any

The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things

Greenmet29

apr911 wrote: »

Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.

I don't understand this... if I put a standard acl on the outbound int closest to the host, how is there any possibility that it would be allowed through? I can see if you said "Personally, I disagree with using outbound ACLs on the interface closest to the source".

apr911 wrote: »

I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.

I think you're speaking of extended ACLs.. In the OP I was referring to standard ACLs. If I put a standard ACL incoming on the int closest to the source, it would deny that host of everything that is out that interface.

Greenmet29

Greenmet29 wrote: »
Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:
int e0
ip access-group 150 in 

access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80
access-list 150 permit ip any any
and then have another ACL on R3, something to the effect of:
int e0
ip access-group 150 in

access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21
access-list 150 permit ip any any
The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things

Maybe I'll read the next page before posting next time