Solved

Using ACLs with Vlans....

Posted on 2007-11-21
21
704 Views
Last Modified: 2012-06-27
Hello All,

I have two vlans, 2 (10.229.24.0) and 8 (10.101.28.0). I'm using a cisco 3560 to do all my layer 3 traffic. Port 2 is Vlan 2 (10.229.24.254) and port 5 is VLan 8 (10.101.30.254) on the switch. What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2? But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2. Also,  I would like to be able to control what ports go out of those interfaces. For example, If I only wanted users to have access to http, https for internet and block all other ports.

Thanks in advance for your help.
0
Comment
Question by:ejaramillo
  • 11
  • 10
21 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20328652
> What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2?

A standard ACL applied to the VLAN interfaces. For example:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

>But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2.

Now you're talking extended ACLs

>Also,  I would like to be able to control what ports go out of those interfaces.

Same as above, extended ACL.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20329351
Can you please give me an example of the extended ACL I would use in this example?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20330482
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 80
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 443

would only allow http and https traffic from 10.229.24.254 to 10.101.30.254. All other traffic would be denied by the implicit deny any that affects all ACLs.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20330997
Using an extended ACL how would I block all traffic from Vlan 8 to Vlan 2 with the exception of a couple of IP addresses?

Thanks for your help!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20331022
You don't need an extended ACL for that. You would use a standard ACL to allow the specific IP addresses Everything else would be denied.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20332711
If I use this ACL:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

This is blocking all of Vlan 8 from accessing Vlan 2. So how would I allow some IP's to access Vlan 2 using this ACL?

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20334064
access-list 1 permit 10.229.24.8 0.0.0.0
access-list 1 permit 10.229.24.12 0.0.0.0
access-list 1 permit 10.229.24.38 0.0.0.0
access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any

This will allow the .8, 12 and 38 hosts. Deny everything else on the 10.229.24.0 network and allow everything else.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20337358
this would be applies on vlan 8 out?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20338254
Yes.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20354848

Can I do this to block vlan 8 talking to vlan 2 with only a couple of IP getting through, but also only giving them access to certain ports for internet?


Int Vlan 8 out
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.8 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.9 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 any eq 80
access-list 101 deny tcp 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit any any

Second question:

What would I apply to vlan 8 inbound?

Would it be something like:

access-list 102 permit tcp any 10.101.28.0 0.0.0.255 established
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 20354912
Can you tell me what devices need to talk to what? Or what you don't want to work?
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20354982
Basically I don't want 10.101.28.0 (Vlan 8) to be able to talk to 10.229.24.0 (Vlan 2) and visa versa if I needed, but I do have a couple of users who are on vlan 2 who need to communicate with a printer which is on Vlan 8. I also have a couple of users who are on Vlan 8 who need to talk to a server on Vlan 2.  Sorry if I'm making this more confussing this it probably is.

Thanks for you help...
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355193
Sorry, one last thing:

I also want to be able to control what ports users can access going out, i.e. http, https, ftp, pop3 etc.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20355245
This will prevent vlan 8 devices from talking to vlan 2 devices.

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355312
Given your example, if there was a printer (10.101.28.1) on VLan 8 that a user (10.229.24.1) on Vlan 2  needed to access I would use this ACL:

access-list 101permit ip 10.101.24.1 0.0.0.0 10.229.24.1 0.0.0.0
access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20355335
Close. :-)




access-list 101 permit ip 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0

access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255

access-list 102 permit ip any any
 

int vlan 2

 ip access-group 101 out

int vlan 8

 ip access-group 102 out

Open in new window

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355362
Thanks for all your help! I was really close. =)

One last thing, sorry I know you want to close this out but what if I also wanted to only have certain port open outbound like http, https, ftp. I don't want them to have access to all ports outbound, ya know.

What do you think?

Thanks again!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20355407
This would allow 10.101.28.1 to open a web page on 10.229.24.1
And allow 10.229.24.9 to telnet to 10.101.28.6

Keep in mind that stopping the response is a bit overkill. If you stop the request, that's usually more than adequate in a closed network.
access-list 101 permit tcp 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0 eq 80

access-list 101 permit tcp 10.101.28.6 0.0.0.0 eq 23 10.229.24.9 0.0.0.0 

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 permit tcp 10.229.24.1 0.0.0.0 eq 80 10.101.28.1 0.0.0.0

access-list 102 permit tcp 10.229.24.9 0.0.0.0 10.101.28.6 0.0.0.0 eq 23

access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255

access-list 102 permit ip any any

 

int vlan 2

 ip access-group 101 out

int vlan 8

 ip access-group 102 out

Open in new window

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355429
Well I'm not really looking to block host to host, but more for outbound to the internet. Let's say I only want to allow my users to go out to the internet and being able to access ftp sites and that's all. I don't want them to be able to go out to the internet to access yahoo messenger which is on a much higher port.. Does that make sense? Do you kind of get what I'm trying to get at?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20358118
The best way to approach this is to understand how the ACLs work. That way you'll be able to write them to fit your requirements.

access-list 101 <action> <protocol> <source add/mask> eq <source port> <dest add/mask> eq <dest port>

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.8 0.0.0.0 eq 80

would allow 192.168.1.0 network to open a web page on the server at 172.16.1.8

Make sense?
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20358130
Got it! Thanks for all your help!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now