Adding access lists in router 3

[Andy542]

Hi,
I'd like some assistance on adding Access Lists on my router so that no lan host (expect the proxy server and any other machine that i might consider) can browse through the router (bypassing my proxy).

In essence its only the proxy is 192.168.0.2 that should be allowed Internet traffic.

Regards,

Andy

Never underestimate the power of human stupidity

 

[Cluebird]

Based on what you're stating, the following will only allow traffic sourced from the proxy address through the router. I'm assuming the LAN hosts are on fastethernet 0/0.

ip access-list standard PROXYONLY
permit host 192.168.0.2
deny any

interface f0/0
ip access-group PROXYONLY in

 

[burtsbees]

deny any log...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Cluebird]

deny any log forces process switching so only use for testing/verification. Without the log option you can use CEF forwarding which is much faster.

 

[ISPKing]

^^^^^^^^^I was waiting for some one to post that, so i could post exactly what you said!!!!!!!!! dang,

CCNP

 

[burtsbees]

On standard and extended? I never knew that...hmmm...

Can ya prove it?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

I'll find the cisco doc

CCNP

 

[vipergg]

Thats true any acl statement with log at the end gets punted to the CPU to handle .

 

[burtsbees]

I could see that, viper---that's a good way to explain it.

When someone can prove it, you'll all get a star...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

http://www.cisco.com/web/about/security/intelligence/acl-logging.html#4

Enjoy.

CCNP

 

[Cluebird]

ISPKing, you beat me to it. AARGH!!!!

 

[burtsbees]

First off, I don't see where the simple "log" after an acl will be process-switched...maybe I am misreading it.

Second, if I am reading it wrong, the only other way I am reading it is ONLY if the ace gets matched, then THAT match (if logging for that particular ACE is set) gets punted to the CPU.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Cluebird]

Behavior depends on the platform. For example, the 6500 now supports CEF ACL logging in hardware. In some platforms, CEF is disabled for the ACL with logging and fast-switching is used. In the lower-end platforms CEF creates a punt adjacency that forces process switching.

This may be something to send to the TAC to verify specifics for a particular platform? Generally, though, there is a high likelyhood you'll get a performance hit with you use logging in an ACL.

 

[burtsbees]

Just for the ACE hits, or as soon as the keyword "logging" is entered then ALL packets get punted?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Cluebird]

Tim,

That's why I suggest calling TAC for a specific platform. I've found documents that say for the ACL as well as others that just say for the ACE. One thing that is consistent is that punt adjacencies occur with logging. How severe that impact will be varies by platform/Memory/CPU. However, consistently Cisco documents do state there is a performance hit with ACL logging.

 

[ISPKing]

Imho, my experience has been as such as well. we actually had to turn Logging off on some of our high traffic 7200, and one we did that we saw a 31% cpu reduction aggregate. We still run it on our 6500 due to OAL.

CCNP