Understanding ACL source:?

Racharla Chandra Kanth 539 posts since May 2, 2013

Understanding ACL source:? Jul 22, 2014 4:56 AM
Hi All,

Here is my topology:

Working with ACL:

access-list 100 deny icmp host 10.0.0.2 host 40.0.0.2 echo log-input
access-list 100 permit ip any any

Scenario1:
Applied ACL 100 on R1's Fa0/0 as inbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
1
Understanding ACL source:?

*Mar 2 00:03:46.518: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:03:46.522: ICMP type=8, code=0
*Mar 2 00:03:46.554: IP: s=10.0.0.254 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1
*Mar 2 00:03:46.558: ICMP type=3, code=13

Scenario2: (Removed ACL from Fa0/0)

Applied ACL 100 on R1's Fa0/1 as outbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:05:57.026: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:05:57.026: ICMP type=8, code=0
*Mar 2 00:05:57.058: IP: s=10.0.0.254 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1
*Mar 2 00:05:57.062: ICMP type=3, code=13

Scenario3:
Applied ACL 100 on R2's Fa0/1 as inbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:08:21.186: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:08:21.190: ICMP type=8, code=0
*Mar 2 00:08:21.254: IP: s=192.168.1.2 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1 -> Here why can't be
source: 192.168.1.1?
*Mar 2 00:08:21.254: ICMP type=3, code=13

Scenario4: (Removed ACL on Fa0/1)

Applied ACL 100 on R2's Fa0/0 as outbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:10:35.062: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:10:35.066: ICMP type=8, code=0
*Mar 2 00:10:35.146: IP: s=192.168.1.2 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1 -> Here why can't be
source: 40.0.0.254?
*Mar 2 00:10:35.146: ICMP type=3, code=13

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
2
Understanding ACL source:?

Here i wanna understand how the source IP's are changing according to the corresponding ACL.

Thanks for any input.

Regards,
Chandu

Message was edited by: Racharla Chandra Kanth

Tags: acl, cisco, ccna_lab

sarah 2,312 posts since Sep 12, 2013

Re: Understanding ACL source:? Jul 22, 2014 4:04 AM
hmmmm.... log-input?

Pantelis
Re: Understanding ACL source:? Jul 22, 2014 4:34 AM
Hi Racharla Chandra Kanth

According to Cisco

Inbound If the access list is inbound, when the router receives a packet, the Cisco IOS software
checks the criteria statements of the access list for a match. If the packet is permitted, the software
continues to process the packet. If the packet is denied, the software discards the packet.
OutboundIf the access list is outbound, after the software receives and routes a packet to the
outbound interface, the software checks the criteria statements of the access list for a match. If the
packet is permitted, the software transmits the packet. If the packet is denied, the software discards
the packet.

@Sarah The log-input option enables logging of the ingress interface and source MAC address in addition to
the packet's source and destination IP addresses and ports.

Thanks
Pantelis

sarah 2,312 posts since Sep 12, 2013

Re: Understanding ACL source:? Jul 22, 2014 4:48 AM
in response to Pantelis
In addition to what Pantelis has said, the placement of an extended ACL determines the usage of the router
resources, While with extended ACLs, having it as specific as it is, you can filter it while closer to the source,
than having it travel routers. That would be be unwanted traffic moving across.

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
3
Understanding ACL source:?

Thanks Pantelis, I wasn't aware of log-input, always used log...

Racharla Chandra Kanth 539 posts since May 2, 2013

Re: Understanding ACL source:? Jul 22, 2014 4:54 AM
in response to Pantelis
Hi Pantelis,

I know how the inbound and outbound ACL's are processed.

My question was regarding the "Source IP" while sending the "Access Denied" information to the PC2
(10.0.0.2)

Ah! I need to correct the last statement in my original question!

Regards,
Chandu

Message was edited by: Racharla Chandra Kanth

sarah 2,312 posts since Sep 12, 2013

Re: Understanding ACL source:? Jul 22, 2014 4:55 AM
in response to Racharla Chandra Kanth
yes, I see that too.

Navneet.Gaur
Re: Understanding ACL source:? Jul 22, 2014 5:44 AM
Hi Racharla Chandra Kanth.

1. Remember traceroute ?

2. The next hop interface is sourced as the one that is replying.

3. Because the return packets are sourced from that interface and the ACL logic is applied before they would
have been transmitted "out of / from" the next interface.

Take care,
Navneet.

Update:
Try the same method from PC-4 for further clarity

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
4
Understanding ACL source:?

Additional Clarification:
The next hop interface
From the point of view of PC-2
On the router where ACL is applied
Is sourced as the one that is replying

Message was edited by: Navneet.Gaur

HARSHA 44 posts since Jun 11, 2014

Re: Understanding ACL source:? Jul 22, 2014 9:40 PM
Hi chandra kanth,

By default when traffic is generated by a router the router uses the ip of the outgoing interface..

anyways great ability to observe such detail ..GOOD

i posted the snipped image from cisco documentation which tells that fact
Capture.PNG 7.8 K

Racharla Chandra Kanth 539 posts since May 2, 2013

Re: Understanding ACL source:? Jul 22, 2014 11:45 PM
in response to HARSHA
Sometimes simple things appear to be complicated.

Scenario1:
Applied ACL 100 on R1's Fa0/0 as inbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:03:46.518: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:03:46.522: ICMP type=8, code=0
*Mar 2 00:03:46.554: IP: s=10.0.0.254 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1
*Mar 2 00:03:46.558: ICMP type=3, code=13
>> Here the from PC2 the next hop is 10.0.0.254, here it processed the packet and denied it and sent
that info to PC2.

Scenario2: (Removed ACL from Fa0/0)

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
5
Understanding ACL source:?

Applied ACL 100 on R1's Fa0/1 as outbound, then:

PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:05:57.026: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:05:57.026: ICMP type=8, code=0
*Mar 2 00:05:57.058: IP: s=10.0.0.254 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1
*Mar 2 00:05:57.062: ICMP type=3, code=13

>>Here the next hop is: 192.168.1.2 but the packet got dropped at 192.168.1.1 before it could reach
192.168.1.2. So the reply was from 10.0.0.254.

Scenario3:
Applied ACL 100 on R2's Fa0/1 as inbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:08:21.186: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:08:21.190: ICMP type=8, code=0
*Mar 2 00:08:21.254: IP: s=192.168.1.2 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1 -> Here why can't be
source: 192.168.1.1?
*Mar 2 00:08:21.254: ICMP type=3, code=13

>> Here the packet has arrived at the second hop: 192.168.1.2 and it processed it and denied it, the
same was sent to PC2.

Scenario4: (Removed ACL on Fa0/1)

Applied ACL 100 on R2's Fa0/0 as outbound, then:
PC2#ping 40.0.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.2, timeout is 2 seconds:
U
*Mar 2 00:10:35.062: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:10:35.066: ICMP type=8, code=0
*Mar 2 00:10:35.146: IP: s=192.168.1.2 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1 -> Here why can't be
source: 40.0.0.254?
*Mar 2 00:10:35.146: ICMP type=3, code=13

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
6
Understanding ACL source:?

>> Here again the next hop is the final destination i.e. 40.0.0.2 but before the packet could reach it,
packet got dropped at 40.0.0.254. So the reply was from 192.168.1.2.

Thanks to you Both.

Regards,
Chandu

Navneet.Gaur
Re: Understanding ACL source:? Jul 22, 2014 11:52 PM
Hi Racharla Chandra Kanth.

1. As always, it's a pleasure.

Take care,
Navneet.

2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
7