[c-nsp] acl to block traffic one way
Roland Dobbins
rdobbins at cisco.com
Sat Mar 24 22:35:34 EST 2007
On Mar 24, 2007, at 8:10 PM, Dan wrote:
> I was wondering if there would be a way to block traffic one way on a
> 3560 switch. I would like to block any traffic from 192.168.1.0/24
> from
> seeing anything 192.168.75.0/24. But I would like to be able to have
> the reverse possible.
If your platform supports ACLs, sure. ACLs are applied to interfaces
directionally. So, you'd have the permit on the side from which
traffic from the permitted source network is applied (or applied
outbound on the interface facing the destination network, but the
former's the better way to go) and that's that.
Out of curiosity, what's your application? Typically, TCP/IP
communications require some bidirectionality for any meaningful use,
even it it's restricted.
>
> Also is there a way to insert a line into an access list?
ACLs should be composed offline using a text-editor or script or
provisioning system, not typed by hand directly into a device. It's
also a good idea to keep them versioned; rcs is available on all the
free *NIXes, I'd suggest getting started using that plus the text
editor of your choice.
One technique some folks use to update ACLs is that they've actually
two versions of an ACL for each relevant interface, and they flip-
flop them. So, if you have ACL 110 applied inbound on fa0/1, you'd
also have ACL 120 in the config of the device, but not applied at the
interface (ACL 110 would be applied and active on the interface).
You'd check ACL 120 out of RCS, modify it, and then copy it over to
the device, then go into the interface configuration sub-mode for the
relevant interface and then change the ACL line to reflect ACL 120 as
the current/applied ACL, and ACL 110 would then be the inactive/
rollover ACL.
ACLs should also be constructed in a modular fashion, with more
static sections for rarely-updated policies, and a dynamic section
used for reaction and other types of more dynamic changes. Pay close
attention to the fall-through of the ACL so as to guard against
problems such as early permit statements masking later denies, or
vice versa. Any platform-specific ACL construction considerations
should also be taken into account and documented in comments in the
ACL file (I strongly recommend that you heavily comment your ACL
files so that it's easy for folks to figure out the intended purpose
of each section/stanza).
It's also a good idea to consider a) using DNS names for /32s in ACLs
*where appropriate* in order to make the intent that much clearer,
deal with hosts which end up being renumbered, etc., and b) using a
script to *perform the DNS lookups on the ACL file and substitute the
appropriate IP addresses just prior to copying them over to the
router* (expecting the router do this can be a bad idea, for a number
of reasons). An alternative to DNS names for /32s is strong
commenting, but you'll end up with more comments; and, of course,
sometimes there are /32s which need to go into ACLs which for one
reason or another don't have DNS mappings. This is very
situationally-specific, just something to think about.
Note that comments ('!') are different from remarks ('rem'); the
former don't show up in the router config, the latter do.
Personally, I hate seeing rems in configs because it makes them
harder to parse via sh commands, but that's something you should
decide for yourself.
It seems like a simple thing, but I've found ACL construction and
maintenance/version control to be a big issue for lots of
organizations. Taking the time to think through some of the issues
denoted above and determining what's best for your network can end up
making it a lot easier to maintain ACLs long-term, as well as making
the update process more efficient and less prone to operator error.
My $.02, FWIW.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Words that come from a machine have no soul.
-- Duong Van Ngo
More information about the cisco-nsp
mailing list