Wednesday, 27 April 2016

Routing and ACL direction

Sometimes I can see questions related to the ACL directions needed for the traffic filtering on the network equipment.

Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.

It is important to understand what ACL is needed on any stage. We suppose that ACLs are not reflexive, so they must filter requests and replies.

 Information exchange has a route:
  1. UDP-packet with src port >1024 and dst port 53 is generated by PC.
  2. According to the router's point of view this packet is incoming for the interface VLAN10 and it will be inspected by ACL_VLAN10_in.
  3. Routing table forwards the packet to the destination interface VLAN20.
  4. This packet is outgoing for the VLAN20 interface, so it is analyzed by it's out-directed ACL (ACL_VLAN20_out).
  5. DNS-request reaches the server and is processed by it. DNS-reply is sent in the UDP-packet (src port 53 and dst port >1024 as in the request).
  6. The packet is checked with ACL_VLAN20_in.
  7. Routing table sends packet via VLAN10 interface.
  8. Packet is checked by ACL_VLAN10_out.
  9. PC receives the reply.
So, ACL must be constructed in such way (syntax may vary):

ACL_VLAN10_in
 10 permit udp <PC> gt 1024 <DNS_server> eq 53
ACL_VLAN10_out
 10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_in

 10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_out
 10 permit udp <PC> gt 1024 <DNS_server> eq 53

As we can see this particular case contains equality:

ACL_VLAN10_in = ACL_VLAN20_out
ACL_VLAN10_out = ACL_VLAN20_in

It is clear that in the productive environment we will have not full ACL identity but only for strings describing interconnection between networks.

I hope this message will be useful and helpful.


No comments:

Post a Comment