04-03-2017 12:25 PM
I am trying to implement some security on an interface by assigning an access group to it.
My config is:
#sh access-list 99
Standard IP access list 99 : 7 entry
deny 172.16.100.0 0.0.0.255
deny 172.16.101.0 0.0.0.255
deny 172.16.102.0 0.0.0.255
deny 172.16.103.0 0.0.0.255
deny 172.16.104.0 0.0.0.255
deny 172.16.105.0 0.0.0.255
And for my specific interface:
interface ethernet 1/1/12
ip access-group 99 in
I tested a workstation with an ip address 172.16.101.x and it was still able to communicate with the interface's device.
04-04-2017 05:49 AM
I think the problem may have to do with the direction of traffic and then what is the source address.
From your post, I believe that the device you want to secure is attached to eth 1/1/12 and that your workstation is on some other interface. If this is the case then read on.
At the moment you have an inbound standard ACL configured. A standard ACL only matches source IP addresses, so what the switch will do is look for a match against the source address of all inbound packets.
In this case the source address would just be the device attached to that interface, so the packet will match the permit any clause.
There are a number of ways to correct this.
The first is to apply the ACL as an outbound ACL - some switches don't support outbound ACLs.
Alternatively change the ACL to an extended ACL and configure the destination IP addresses, which will prevent the reply packets from reaching your workstation (and other prohibited devices). This is not ideal since the initial packets would still be hitting the device which you want to secure
The third method would be configure extended ACLs on the interfaces which connect back to the subnets/devices which you want to prevent gaining access to your secured device - this method is more tricky to manage as you will need to specify both source and destination addresses in the ACLs and as the number of secure devices increases your ACLs will become increasingly larger.