Sometimes I can see questions related to the ACL directions needed for the traffic filtering on the network equipment.
Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.
name='more'> It is important to understand what ACL is needed on any stage. We suppose that ACLs are not reflexive, so they must filter requests and replies.
Information exchange has a route:
ACL_VLAN10_in
10 permit udp <PC> gt 1024 <DNS_server> eq 53
ACL_VLAN10_out
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_in
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_out
10 permit udp <PC> gt 1024 <DNS_server> eq 53
As we can see this particular case contains equality:
ACL_VLAN10_in = ACL_VLAN20_out
ACL_VLAN10_out = ACL_VLAN20_in
It is clear that in the productive environment we will have not full ACL identity but only for strings describing interconnection between networks.
I hope this message will be useful and helpful.
Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.
name='more'> It is important to understand what ACL is needed on any stage. We suppose that ACLs are not reflexive, so they must filter requests and replies.
Information exchange has a route:
- UDP-packet with src port >1024 and dst port 53 is generated by PC.
- According to the router's point of view this packet is incoming for the interface VLAN10 and it will be inspected by ACL_VLAN10_in.
- Routing table forwards the packet to the destination interface VLAN20.
- This packet is outgoing for the VLAN20 interface, so it is analyzed by it's out-directed ACL (ACL_VLAN20_out).
- DNS-request reaches the server and is processed by it. DNS-reply is sent in the UDP-packet (src port 53 and dst port >1024 as in the request).
- The packet is checked with ACL_VLAN20_in.
- Routing table sends packet via VLAN10 interface.
- Packet is checked by ACL_VLAN10_out.
- PC receives the reply.
ACL_VLAN10_in
10 permit udp <PC> gt 1024 <DNS_server> eq 53
ACL_VLAN10_out
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_in
10 permit udp <DNS_server> eq 53 <PC> gt 1024
ACL_VLAN20_out
10 permit udp <PC> gt 1024 <DNS_server> eq 53
As we can see this particular case contains equality:
ACL_VLAN10_in = ACL_VLAN20_out
ACL_VLAN10_out = ACL_VLAN20_in
It is clear that in the productive environment we will have not full ACL identity but only for strings describing interconnection between networks.
I hope this message will be useful and helpful.