[f-nsp] Inbound only ACL's

Frankie John-Lewis fjohn-lewis at odlsecurities.com
Thu May 6 03:56:24 EDT 2010 

For the case you have put follow the data.

You're src ip address is always going to be coming from the 50 subnet as traffic from the 50 subnet can only leave through ve50. Therefore if you apply the access list on the ve the traffic is being filtered on incoming traffic into the ve.

Therefore access list trail 1 would work correctly.



----- Original Message -----
From: foundry-nsp-bounces at puck.nether.net <foundry-nsp-bounces at puck.nether.net>
To: foundry-nsp at puck.nether.net <foundry-nsp at puck.nether.net>; hidden at xmission.com <hidden at xmission.com>
Sent: Wed May 05 23:47:09 2010
Subject: [f-nsp] Inbound only ACL's

As you know, many of the newer Brocade products only offer inbound 
ACL's.   When applying some recently I ran into results that I did not 
expect and was hoping for some help.   I am applying these to the VE 
entity that is associated with the VLAN and my goal is to isolate that 
VLAN except for a few hosts and services.  My understanding is that when 
considering ACL's, you should place yourself within the router when 
evaluating the inbound vs outbound traffic flow.  In this case I am the 
VE 50  inside of the router so I would assume that my "incoming" should 
be the packets that do not have my subnet source address.  Which of the 
two ACL lists is correct for this application?  Is there a better way to 
do this?

I am attempting to allow two host addresses to access 50 from subnets 8 
and 6 and all of 18 subnet to access subnet 50.  The goal is to also 
restrict the any hosts from 50 from initiating a connection to anything 
other than the two hosts and the single subnet.

List applied at VE

interface ve 50
  ip address 10.4.50.1/24
  ip access-group SubNet-50 in


List Trial ONE

ip access-list extended SubNet-50

   permit ip 10.4.50.0/24 host 10.4.8.5
   permit ip 10.4.50.0/24 host 10.4.6.9
   permit ip 10.4.50.0/24 10.4.18.0/24

List Trial Two

ip access-list extended SubNet-50

   permit ip host 10.4.8.5 10.4.50.0/24
   permit ip host 10.4.6.9 10.4.50.0/24
   permit ip  10.4.18.0/24 10.4.50.0/24


_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
--------------------------------------------------------------------------------

This message is for information purposes only and is not intended as an 
offer, recommendation or solicitation to buy or sell, nor is it an official 
confirmation of terms. No representation or warranty is made that this 
information is complete or accurate. Any views or opinions expressed do not
necessarily represent those of ODL Securities Limited. This email and the 
information it contains may be confidential, proprietary or legally privileged. 
If you receive this message in error, please notify the sender and delete it
from your system. You must not, directly or indirectly, use, disclose, 
distribute, copy or store this message or any part of it if you are not the 
intended recipient. Unless otherwise stated, any pricing information given in 
this email is indicative only, is subject to changes and does not constitute 
an offer to deal at any price quoted. 

ODL Securities Limited is authorised and regulated by the Financial Services Authority.

--------------------------------------------------------------------------------

More information about the foundry-nsp mailing list