Sometimes I can see questions related to the ACL directions needed for the traffic filtering on the network equipment.
Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.
It is important to understand what ACL is needed on any stage. We suppose that ACLs are not reflexive, so they must filter requests and replies.
Information exchange has a route:
ACL_VLAN10_in
10 permit udp <PC> gt 1024 <DNS_server> eq 53
ACL_VLAN10_out
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_in
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_out
10 permit udp <PC> gt 1024 <DNS_server> eq 53
As we can see this particular case contains equality:
ACL_VLAN10_in = ACL_VLAN20_out
ACL_VLAN10_out = ACL_VLAN20_in
It is clear that in the productive environment we will have not full ACL identity but only for strings describing interconnection between networks.
I hope this message will be useful and helpful.
Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.
It is important to understand what ACL is needed on any stage. We suppose that ACLs are not reflexive, so they must filter requests and replies.
Information exchange has a route:
- UDP-packet with src port >1024 and dst port 53 is generated by PC.
- According to the router's point of view this packet is incoming for the interface VLAN10 and it will be inspected by ACL_VLAN10_in.
- Routing table forwards the packet to the destination interface VLAN20.
- This packet is outgoing for the VLAN20 interface, so it is analyzed by it's out-directed ACL (ACL_VLAN20_out).
- DNS-request reaches the server and is processed by it. DNS-reply is sent in the UDP-packet (src port 53 and dst port >1024 as in the request).
- The packet is checked with ACL_VLAN20_in.
- Routing table sends packet via VLAN10 interface.
- Packet is checked by ACL_VLAN10_out.
- PC receives the reply.
ACL_VLAN10_in
10 permit udp <PC> gt 1024 <DNS_server> eq 53
ACL_VLAN10_out
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_in
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_out
10 permit udp <PC> gt 1024 <DNS_server> eq 53
As we can see this particular case contains equality:
ACL_VLAN10_in = ACL_VLAN20_out
ACL_VLAN10_out = ACL_VLAN20_in
It is clear that in the productive environment we will have not full ACL identity but only for strings describing interconnection between networks.
I hope this message will be useful and helpful.
No comments:
Post a Comment