Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
Certification Preparation
Cisco
CCNP
ip unnumbered acls
vinbuck
Having a bit of a tech debate at work and wanted to get y'alls opinion on it.
When deploying ip unnumbered on dot1q subinterfaces like so [config is sanitized for the web]:
interface loopback123
ip vrf forwarding testVRF
ip address 192.168.1.1 255.255.0.0
interface GigabitEthernet1/1.500
encapsulation dot1q 500
ip vrf forwarding testVRF
ip address unnumbered loopback123
interface GigabitEthernet1/1.501
encapsulation dot1q 501
ip vrf forwarding testVRF
ip address unnumbered loopback123
interface GigabitEthernet1/1.502
encapsulation dot1q 502
ip vrf forwarding testVRF
ip address unnumbered loopback123
.....and so on for the dot1q subinterfaces
Where would you put the acl to restrict traffic? On the subinterface or on the loopback and why?
Find more posts tagged with
Comments
networker050184
I'd say on the actual interface as that is when an ACL would be applied in the traffic path in hardware. The traffic isn't actually going to be destined to the loopback interface for inspection.
vinbuck
That was one of the arguments, but CEF shows the loopback as the interface tied to the subnet for IP forwarding, so the counterargument is would it be better to have one ACL to evaluate, or potentially dozens on the subinterfaces for the long term?
networker050184
Well the first thing I would do is test it and see which place actually acomplishes the goal. Then you can plan from there.
Personally I'd rather have one per interface. Makes it easier to clean up if an interface goes away.
vinbuck
Working on testing it in GNS3 right now....just to clarify, why would it be easier to clean up? If the loopback were to go away then none of the subinterfaces would work but if the acl is at the loopback then it makes no difference how many subinterfaces are added and deleted.
Thanks for the response...not sure if it will block the traffic through the router with the ACL on the loop or not....will let y'all know!
networker050184
So is the ACL one static ACL or will you be updating it for different communication per interface? If its just one ACL that will never change it makes sense on the loopback (though I don't think that will accomplish what you want but thats just a guess), but if these are customer interfaces and the ACL will be changing then I'd go with one per sub interface. Just easier to manage IMO.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
