Options
Quick ACL question
Hey all,
I'm a bit confused coming across some ACLs that seem useless to me. I was hoping someone may be able to provide a rationale for doing something along these lines. This ACL is applied in the IN direction to a VLAN SVI with subnet 10.14.28.0/22. This is just part of the ACL, all the others are permits and then there's a permit ip any any at the bottom. So I'm confused as to what the point of these denies would even be as they seem to be just the subnet and broadcast IPs. Any ideas for a valid reason to do this?
60 deny icmp any host 10.14.31.255 log-input
70 deny icmp any host 10.14.28.0 log-input
80 deny icmp any host 10.255.255.255 log-input
90 deny icmp any host 10.0.0.0 log-input
100 deny icmp any host 255.255.255.255 log-input
110 deny ip host 10.14.28.2 host 10.14.28.2 log-input
120 deny ip host 10.14.28.1 host 10.14.28.1 log-input
Thanks in advance!
I'm a bit confused coming across some ACLs that seem useless to me. I was hoping someone may be able to provide a rationale for doing something along these lines. This ACL is applied in the IN direction to a VLAN SVI with subnet 10.14.28.0/22. This is just part of the ACL, all the others are permits and then there's a permit ip any any at the bottom. So I'm confused as to what the point of these denies would even be as they seem to be just the subnet and broadcast IPs. Any ideas for a valid reason to do this?
60 deny icmp any host 10.14.31.255 log-input
70 deny icmp any host 10.14.28.0 log-input
80 deny icmp any host 10.255.255.255 log-input
90 deny icmp any host 10.0.0.0 log-input
100 deny icmp any host 255.255.255.255 log-input
110 deny ip host 10.14.28.2 host 10.14.28.2 log-input
120 deny ip host 10.14.28.1 host 10.14.28.1 log-input
Thanks in advance!
Comments
-
Options
docrice
Member Posts: 1,706 ■■■■■■■■■■
Suppression of attempted smurf attacks and stealthing of what I presume are the gateway primary and secondary at .1 and .2.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
Options
ram1101
Member Posts: 32 ■■□□□□□□□□
i really dont use ACL on interfaces anymore is all about zone-based firewall now.
i have seen some horrible acls applied to interfaces that really doesnt make any sense that zones allow me to create a cleaner config and more understandable the funny thing is that when im cleannig up i still see those horrible ACLs applied on interface
for example allowing http from zoneLAN to Zone-WAN
class-map type inspect match-any ZoneLAN-Zone-WAN
match-protocol http
policy-map type inspect ZoneLAN-Zone-WAN
class ZoneLAN-Zone-WAN
inspect log
class class-default
drop log
zone-pair security ZoneLAN-Zone-WAN source ZoneLAN destination Zone-WAN
service-policy type inspect ZoneLAN-Zone-WAN
interface fa0/0
zone member Zone-WAN
Interface fa0/1
zone member Zone-LAN -
Optionsfadhil
Member Posts: 200
first what make me confused is that some are standard access list but it's application is extended access list. also remember that when we are using key word host, it is for single computer i.e single source or destination.
forexample: the first line means that icmp message from any source to the destination host 10.14.31.255(single host) will be blocked. that single host can be a server or admin computer.
also we may block broadcast icmp message ,this help to increase the performance of the network. as done in access list 100 deny icmp any ...................