|
Posted by Michael Letchworth on June 15, 2008, 1:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
Peter wrote:
> Hi Michael,
>
>> Can you put an access list on any interface whether it has an IP or not?
>
> Yes, however be aware that it can depend on what TYPE of ACL you want
> to use, some are restricted to the mode of use of the interface. EG a
> MAC ACL (IE 7xx) only works on interfaces in Layer 2 mode (that CANNOT
> have an IP). However a Layer 3 ACL will work on a Layer 3 interface
> regardless of it being unnumbered or not.
So if I have an interface trunking vlans, can I apply an ACL on it?
Basically I have a 6500 as our core switch that connects all our
building together then this trunked interface connects to our server
switch (Exterme). I'd rather keep all the acl's in the cisco.
>
>
>> Does it matter is the port is in access or routing mode?
>
> No.
>
>> Another thing that confusses me whether it you apply the acl in or out?
>
> While either works, the generally accepted practise is to apply an ACL
> INBOUND on an interface. This means that the CPU/chipset only ever
> gets to see data that is wanted, and not data that is later dropped.
> HOWEVER see the following 2 replies!
>
>> Lets say I have several vlans but I dont want this particular vlan to
>> access another vlan except for port 80. Do I block the all ip except
>> port 80 going into my interface or block it going out of the vlan.
>
> If the ACL is to apply to multiple interfaces that are all members of
> a single VLAN, then put the ACL on the VLAN. Less ACL application
> points is better than multiple ACL application points.
>
>> Another problem I have is what if I have a vlan will all my servers on
>> and 10 other with workstations and printers. I only want to allow port
>> 445,135-7 to the servers vlan but I want the servers vlan full ip access
>> to the workstations an printers. Do I put the acl on the outbound of the
>> servers vlan or the acl on the inbound?
>
> The key here is the part that reads -
> I only want to allow port 445,135-7 to the servers vlan
> In this case I would apply the ACL OUTBOUND on the Server VLAN. This
> ensures all workstation VLANS are handled regardless on which SOURCE
> VLANS are used. Then you need to ensure this is exactly what you
> want....;-)
Just out of curiosity, if a workstation sent a denial of service to the
servers IP on the servers vlan, would it affect the server? If outbound
was blocked on the server vlan does that mean that data is allowed into
the vlan but no return packet?
>
>> Last
>> What will the IOS with firewall feature give over the standard ios?
>
> Firewall IOS looks more towards general Network use than pure data
> packets. IE its rules apply to a particular conversation. It used to
> be called CBAC - Context Based Access Control, which I thought
> describes what it does quite well. It applies a set of logical data
> flow rules around a conversation between 2 points, so it needs to know
> how specific protocols work. and allows you to provide limitations to
> that TYPE of traffic to try and ensure that flow is valid and follows
> expectations. My feeling is that its more designed to catch UNNATURAL
> or irregular conversations, rather than specific issues as such. I
> would definitely NOT use Firewall IOS as a full featured Firewall, it
> is not designed for that.
>
> Cheers................pk.
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map