ip unnumbered acls

vinbuckvinbuck M&C: Far Side of the NetMember Posts: 785 ■■■■□□□□□□
in CCNP
Having a bit of a tech debate at work and wanted to get y'alls opinion on it.

When deploying ip unnumbered on dot1q subinterfaces like so [config is sanitized for the web]:

interface loopback123
ip vrf forwarding testVRF
ip address 192.168.1.1 255.255.0.0

interface GigabitEthernet1/1.500
encapsulation dot1q 500
ip vrf forwarding testVRF
ip address unnumbered loopback123

interface GigabitEthernet1/1.501
encapsulation dot1q 501
ip vrf forwarding testVRF
ip address unnumbered loopback123

interface GigabitEthernet1/1.502
encapsulation dot1q 502
ip vrf forwarding testVRF
ip address unnumbered loopback123


.....and so on for the dot1q subinterfaces


Where would you put the acl to restrict traffic? On the subinterface or on the loopback and why?
Cisco was my first networking love, but my "other" router is a Mikrotik...
· Share on FacebookShare on Twitter

Comments

  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    I'd say on the actual interface as that is when an ACL would be applied in the traffic path in hardware. The traffic isn't actually going to be destined to the loopback interface for inspection.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • vinbuckvinbuck M&C: Far Side of the Net Member Posts: 785 ■■■■□□□□□□
    That was one of the arguments, but CEF shows the loopback as the interface tied to the subnet for IP forwarding, so the counterargument is would it be better to have one ACL to evaluate, or potentially dozens on the subinterfaces for the long term?
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    Well the first thing I would do is test it and see which place actually acomplishes the goal. Then you can plan from there.

    Personally I'd rather have one per interface. Makes it easier to clean up if an interface goes away.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • vinbuckvinbuck M&C: Far Side of the Net Member Posts: 785 ■■■■□□□□□□
    Working on testing it in GNS3 right now....just to clarify, why would it be easier to clean up? If the loopback were to go away then none of the subinterfaces would work but if the acl is at the loopback then it makes no difference how many subinterfaces are added and deleted.

    Thanks for the response...not sure if it will block the traffic through the router with the ACL on the loop or not....will let y'all know!
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    So is the ACL one static ACL or will you be updating it for different communication per interface? If its just one ACL that will never change it makes sense on the loopback (though I don't think that will accomplish what you want but thats just a guess), but if these are customer interfaces and the ACL will be changing then I'd go with one per sub interface. Just easier to manage IMO.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.