Router ACL on SVI; Inbound or Outbound?

Just a little note for SVI Access-List (or Cisco calls it Router ACL on SVI).
Three routers configured as below.

! R1

int f0/0
 ip addr 12.12.12.1 255.255.255.0
 no shut

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0
 
! R2
int vlan 100
 ip addr 12.12.12.2 255.255.255.0
 
int f1/0
 switchport mode access
 switchport access vlan 100
int f0/0
 ip addr 23.23.23.2 255.255.255.0

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0

! R3

int f0/0
 ip addr 23.23.23.3 255.255.255.0
 no shut

router ospf 1
 net 0.0.0.0 0.0.0.0 a 0
 
ip http server

I’m testing the Access-list on SVI and testing it by ICMP and HTTP from R1 (12.12.12.1) to R3 (23.23.23.3) and check the matches on the ACL. I’m expecting that the HTTP access will be denied and ICMP will be allowed.

The direction of the access-list and the SVI (inbound or outbound) tested as below.

! R2
Extended IP access list ACL
    10 deny tcp host 12.12.12.1 host 23.23.23.3 eq www
    20 permit ip any any (1 match)

int vlan 100
 ip access-group ACL out
 
! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host 23.23.23.3 eq www host 12.12.12.1 
    20 permit ip any any (5 matches)

int vlan 100
 ip access-group ACL in

! RESULT. ICMP and HTTP access are both OK

! R2
Extended IP access list ACL
    10 deny tcp host 23.23.23.3 eq www host 12.12.12.1 (6 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL out

! RESULT. ICMP OK, HTTP access is opened then timed-out.
! R2
Extended IP access list ACL
    10 deny tcp host 12.12.12.1 host 23.23.23.3 eq www (3 matches)
    20 permit ip any any 

interface Vlan100
 ip access-group ACL in

! RESULT. ICMP OK, HTTP access is UNREACHABLE 

Summary. The rule of thumb for the direction of the ACL on SVI above are:

ACL always have the form of , while the direction of the ACL int SVI works as below:

  • If it’s INBOUND (“ip access-group ACL out”), then it means “It’s going OUT TO the VLAN100 access ports.”
  • If it’s OUTBOUND (“ip access-group ACL in”), then it means “It’s going AWAY from the VLAN100″

As much as it’s confusing as it can be, I prefer to use VLAN ACCESS-MAP.

Router Output Queue

Output Queue
For the egress queue, router interface uses two queues. The first queue is, like Input queue, Output queue is a software queue. The default queuing mechanism is FIFO and it can be change to WFQ or CBWFQ. The default value for this queue is 40 packets.

Rack1R1#sh int e0/0 | i queue
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Output queue: 0/40 (size/max)
  
Rack1R1#    sh int e0/0 | i Queueing
  Queueing strategy: fifo

Continue reading

Router Input Queue

We know that Router interfaces uses CEF switching on all of its interfaces. When the CPU is too busy to switch the new incoming packets, these packets will be stored in the Input Queue. There is only 1 Input queue and the queuing mechanism is always FIFO. By default the maximum packets can fill up this queue are 75 packets. This value can be change with hold-queue <value> in under the interface command. If the input queue is full and the CPU still not able to switch the packets. New incoming packets will be dropped.

R1#sh int f0/0
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
R1#conf t
R1(config)#int f0/0
R1(config-if)#hold-queue 100 in
R1(config-if)#^Z
R1#sh int f0/0
  Input queue: 0/100/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo ! This is OUTPUT Queuing mechanism.

Continue reading

IPv6 no-advertise and no-autoconfig.

By default, IPv6 addresses configured on an interface are advertised in Router Advertisement (RA). The command ipv6 nd prefix no-advertise will block the RA for the specified prefix. Command ipv6 nd prefix <IPv6> 14400 14400 no-autoconfig will advertise the prefix with A-bit (AUTOCONFIG) bit cleared.

This will work for scenario where you want to block the RA for specific address (no-advertise) or just want to block the specific address from being used for stateless auto-configuration (no-autoconfig).

In addition to that, by default, RA is automatically advertised on Ethernet or FDDI interface (but not other type of interface). ipv6 nd ra suppress will supress periodic unsolicited RA, but it does not suppress RAs in response to a Router Solicitation (RS). Use ipv6 nda ra suppress all to suppress all.

Source.

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-i3.html#wp1103499300

http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/command/ipv6-i3.html#wp2583862361

Notes for OSPF DR/BDR Peering priority

  • Higher priority value (0-255) is better.
  • Default value is 1
  • Can be set via neighbor command or interface command.
  • Neighbor command sets neighbor priority while interface command sets its own interface priority. Thus, both commands will not interfere each other. Again, one is for neighbor and other is for its own interface.
  • If the local interface priority is set and the other router uses neighbor priority command, then interface priority will take precedence.

Continue reading

You think you know DTP?

First, What’s DTP? Having a look on Google will reveal quite a few (if not too many) article about DTP. It’s basically a protocol which negotiate whether a link should turn into a Trunk link or not. You might be aware that the newer switches (e.g. 3560 on-wards) will have its link set as Dynamic Auto by default.

3560(config)#do sh int f0/14 sw | i Administrative Mode
Administrative Mode: dynamic auto

Continue reading

Diffie-Hellman usage in IPSec

I’m intrigued with Diffie-Hellman usage in IPSec. Most of the sources you can find in the internet will explain you how Diffie-Hellman work. You might want to visit this YouTube video about Diffie-Hellman Key Exchange and probably another YouTube video if you still not getting it.

Skipped the history side of this, in short, Diffie-Hellman is a method so that you can exchange your secret key without the need to pass that key over the network. It can be done with this 5 simple steps.

Continue reading

CCIE RS Lab Exam failed, for the second time.

It’s been a good experience so far, knowing that I failed my CCIE R&S lab for the second time. Well, certainly not the best outcome but certainly was a good experience.

Last year, 31 May 2012, I failed my first lab exam. That time was pretty rough. I was too emotional and nearly walking out of the building for not knowing enough of the technologies. I came out of the building felling stress out. It could probably be that I went to the exam just couple of days after I finished with Narbik’s Bootcamp. Exhausted and agitated.
Continue reading

Cisco 3560 MLS QOS – Part 3 – Final

This is the third part of Cisco 3560 MLS QOS. Previously I’ve discussed about Classification and Marking and Ingress Queuing.

Egress Queuing

Now, it has come to the part where packets are ready to be sent out. The idea is quite similar with Ingress Queuing but Egress has 4 Queues instead of only 2 for Ingress. Unlike Ingress Queues, Egress Queues has two sets of Queue configuration templates. It is called Queue-set 1 and Queue-set 2. This can be handy if you require to have two different settings for access ports and trunk ports. You will be able to configure Queue-set 1 with particular setup and have another different setup for Queue-set 2.
Continue reading