Good morning,
My question is about ACL's, and how they apply to multiple interfaces on the same device. My ISP has given me a /30 and a /28 address. I will be putting a Cisco router out front, followed by a Meraki. At this point I'm thinking the WAN (Gig) interface of the Cisco will have the /30 address assigned, and VLAN10 interface will have the first usable address of the /28.
I will have the Meraki connected to a interface off VLAN10 with the second usable IP address, and do all firewall/NAT things on that device. The Meraki's DFG will be the VLAN10 interface IP.
int gig8 desc *** ISP /30 Physical *** ip address 30.30.30.30 255.255.255.252 int gig7 desc *** ISP /28 Logical *** switchport access vlan 10 int vlan10 desc *** ISP /28 Physical *** ip address 28.28.28.1 255.255.255.240 ip route 0.0.0.0 0.0.0.0 30.30.30.31 ip access-list extended OutIn-Test remark *** ISP /30 WAN IP *** permit tcp any host 30.30.30.30 eq 22 permit icmp any host 30.30.30.30 echo permit icmp any host 30.30.30.30 echo-reply permit icmp any host 30.30.30.30 time-exceeded permit icmp any host 30.30.30.30 unreachable permit icmp any host 30.30.30.30 traceroute deny ip any host 30.30.30.30 remark *** ISP /28 WAN IP *** permit tcp any host 28.28.28.1 eq 22 permit icmp any host 28.28.28.1 echo permit icmp any host 28.28.28.1 echo-reply permit icmp any host 28.28.28.1 time-exceeded permit icmp any host 28.28.28.1 unreachable permit icmp any host 28.28.28.1 traceroute deny ip any host 28.28.28.1 remark *** ISP /28 *** permit ip any 28.28.28.0 0.0.0.15
If I were to apply this ACL to the /30 inbound -- would this include VLAN10? Or, would I need to apply this ACL to VLAN10 inbound also? Or, to save cycles, should I break this into (2) different policies and apply inbound to the respective interfaces?
(I'm not married to the ACL at the moment -- if there's something I've overlooked or should/should not include, please let me know)
Thanks in advance!
EDIT: Added fictitious interface addresses to help visualize
No comments:
Post a Comment