Question

ACL - protect VE's IP - how?

  • 30 January 2019
  • 4 replies
  • 342 views

hi guys
I have a vlanAA with an interface IP, say 10.1.1.1, which is an uplink to the "outside"
I have more vlans in my logical chassis.

How can I - protect(deny) 10.1.1.1 from/against the outside, or anybody for that mater, except for maybe allowing a MAC/IP - that would be ACLs, right?

I'm fiddling with extended ACL.
1 permit tcp IPa IPb
2 deny tcp any any
3 permit udp IPa IPb
4 deny udp any any
But that does not seem to get me what I hoped.

many thanks.

4 replies

Userlevel 2
Pawel,

Yes, to best protect your device from outside access, the use of an ACL would be recommended. There are a few different types of ACLs; MAC, L3 (IPv4/6), rACL, SNMP, ARP, etc.

I would recommend reviewing the NOS Security Config guide for full details.

In general, once creating your ACL you will need to then apply it to the interface you want to protect; physical interface, VE, or Port-Channel, and in which direction the ACL should filter, in (ingress) or out (egress). The exceptions are with rACL, SNMP which apply globally.

You can have a mix of L2 (MAC) and L3 ALCs on an interface, but not multiples in each direction:

– One ingress MAC ACL—if the interface is in switchport mode
– One egress MAC ACL—if the interface is in switchport mode
– One ingress IPv4 ACL
– One egress IPv4 ACL
– One ingress IPv6 ACL
– One egress IPv6 ACL

Lastly, please keep in mind that for L2 ACLs there is an implicit "permit" at the end of every ACL, meaning if the traffic does not match any of the rules, it is allowed or "matched" by this implicit rule. With that said, for L3 ACLs there is an implicit "deny" statement at the end of every ACL, so if the traffic does not match any permit rule it will be dropped by default.

I hope this helps

Mike Morey
Hi Pawel,

Also keep in mind that for packets going to local control plane you might need to use "hard-drop" instead of "deny".

Many thanks,
Sargis
I really can get the grasp of these rules. I wish there was more examples in the manual doc.
I'm trying this:

code:
ip access-list extended deny_10-5-8-1
seq 10 permit tcp host 10.5.8.49 host 10.5.8.254
seq 20 deny tcp any host 10.5.8.1
seq 30 permit udp host 10.5.8.49 host 10.5.8.254
seq 40 deny udp any host 10.5.8.1
seq 50 permit icmp any any
seq 60 permit tcp any any
seq 70 permit udp any any


and I apply to rb1 VE iface, yet anybody seem to just get to 10.5.8.254 no problems.
How does this not work?
Or is it that simply ACLs do not work when applied to VEs ?
In my setup 10.5.8.254 is VE's IP.
But it that is the case then... it is pointless.. so, no. It muse be possible somehow to deny traffic to VE's IP..

Reply