Quick ACL question

JayrodEFJayrodEF Member Posts: 111 ■□□□□□□□□□
Hey all,
I'm a bit confused coming across some ACLs that seem useless to me. I was hoping someone may be able to provide a rationale for doing something along these lines. This ACL is applied in the IN direction to a VLAN SVI with subnet 10.14.28.0/22. This is just part of the ACL, all the others are permits and then there's a permit ip any any at the bottom. So I'm confused as to what the point of these denies would even be as they seem to be just the subnet and broadcast IPs. Any ideas for a valid reason to do this?


60 deny icmp any host 10.14.31.255 log-input
70 deny icmp any host 10.14.28.0 log-input
80 deny icmp any host 10.255.255.255 log-input
90 deny icmp any host 10.0.0.0 log-input
100 deny icmp any host 255.255.255.255 log-input
110 deny ip host 10.14.28.2 host 10.14.28.2 log-input
120 deny ip host 10.14.28.1 host 10.14.28.1 log-input

Thanks in advance!

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Suppression of attempted smurf attacks and stealthing of what I presume are the gateway primary and secondary at .1 and .2.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ram1101ram1101 Member Posts: 32 ■■□□□□□□□□
    i really dont use ACL on interfaces anymore is all about zone-based firewall now.
    i have seen some horrible acls applied to interfaces that really doesnt make any sense that zones allow me to create a cleaner config and more understandable the funny thing is that when im cleannig up i still see those horrible ACLs applied on interface

    for example allowing http from zoneLAN to Zone-WAN

    class-map type inspect match-any ZoneLAN-Zone-WAN
    match-protocol http

    policy-map type inspect ZoneLAN-Zone-WAN
    class ZoneLAN-Zone-WAN
    inspect log
    class class-default
    drop log

    zone-pair security ZoneLAN-Zone-WAN source ZoneLAN destination Zone-WAN
    service-policy type inspect ZoneLAN-Zone-WAN



    interface fa0/0
    zone member Zone-WAN

    Interface fa0/1
    zone member Zone-LAN
  • fadhilfadhil Member Posts: 200
    first what make me confused is that some are standard access list but it's application is extended access list. also remember that when we are using key word host, it is for single computer i.e single source or destination.
    forexample: the first line means that icmp message from any source to the destination host 10.14.31.255(single host) will be blocked. that single host can be a server or admin computer.

    also we may block broadcast icmp message ,this help to increase the performance of the network. as done in access list 100 deny icmp any ...................
Sign In or Register to comment.