Options
ACLs, Loopbacks & choosing where to put them
Greenmet29
Member Posts: 240
in CCNA & CCENT
So i've been studyin ACLs for the past couple nights. The first night I was studying via a remote connection so I didn't have physical access to my lab. No problem, I thought, until I started trying to apply the ACLs to loopback interfaces. Long story short (really not that long of a story) If I applied the ACL to the interface coming into the router it worked, but if I applied it to the loopback (either direction) it wouldn't. Is there a reason for this or is it just something I have to live with?
My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?
TIA!
My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?
TIA!
Comments
-
Options
onesaint
Member Posts: 801
Greenmet29 wrote: »My second question is this.. I am under the impression that with a standard ACL you want to apply it to the interface closest to the destination, thereby denying access to the least amount of resources. As i'm reading odems ICND2 book (second edition), on page 242, there is a diagram and it says something to the effect of 'if you apply the acl on the outgoing interface of the router closest to the sending host, a link could go down, the network can converge, and your host could have access to the forbidden resource. Wouldn't it be better just to put it on the router closest to the destination resource?
Standard ACLs should be placed closest to the destination (i.e., outbound int of router closest to destination). The reason for this is to allow other possible traffic from the subnet/host you are trying to filter (e.g., want to deny traffic to one subnet, but permit it to another).
I think what Odom is trying to demonstrate is that you should place the ACL closest to the destination (in agreement with you). Odom notes placing the ACL on the outbound interface of the router closest to the source means the traffic has to be routed through that interface (S0/0) in order to be reviewed by the ACL. So, if the ACL is on int s0/0 and a better route if found through int S0/1, then the packets won't ever be reviewed by the ACL (which is on int S0/0) as they won't be routed through that interface.Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
Next up: eventually the RHCE and to start blogging again.
Control Protocol; my blog of exam notes and IT randomness -
Options
apr911
Member Posts: 380 ■■■■□□□□□□
For testing purposes, dont know that Cisco really cares how the ACLs are applied just as long as they are applied in the correct manner to do what is asked.
Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.
I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.Currently Working On: Openstack
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP -
OptionsGreenmet29
Member Posts: 240
Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:
int e0 ip access-group 150 in access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80 access-list 150 permit ip any any
and then have another ACL on R3, something to the effect of:int e0 ip access-group 150 in access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21 access-list 150 permit ip any any
The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things
-
OptionsGreenmet29
Member Posts: 240
Personally, I disagree with using outbound ACLs on the interface closest to the destination. As has already been noted, if you have 2 provider networks coming in, there is the possibility that you can route out a different interface and get to the restricted host. Additionally, all traffic will traverse your device before being stopped by an access-list which can tie up cpu cycles because the routing decision has been made and the packet recreated before being caught by the ACL.
I don't understand this... if I put a standard acl on the outbound int closest to the host, how is there any possibility that it would be allowed through? I can see if you said "Personally, I disagree with using outbound ACLs on the interface closest to the source".I prefer inbound ACLs on the interface closest to the source. It stops the traffic from traversing the host which means no overhead choosing routes and reforming the packets before being caught.
I think you're speaking of extended ACLs.. In the OP I was referring to standard ACLs. If I put a standard ACL incoming on the int closest to the source, it would deny that host of everything that is out that interface. -
OptionsGreenmet29
Member Posts: 240
Greenmet29 wrote: »Ok.. so on page 250 in example 1, my first thought (before I looked at the config used) was to put an ACL on R2 that looked something like this:
int e0 ip access-group 150 in access-list 150 deny tcp host 172.16.2.10 host 172.16.1.100 eq 80 access-list 150 permit ip any any
and then have another ACL on R3, something to the effect of:int e0 ip access-group 150 in access-list 150 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq 21 access-list 150 permit ip any any
The reason I would do this is to minimize the amount of wasted bandwidth/processor cycles on the network. Would this be incorrect? I understand that he probably does it just so that it's only on one router, but cisco recommends that you place an extended acl as close to the source as possible, which would be what I suggest. Maybe i'm just too **** about things
Maybe I'll read the next page before posting next time