Solved

Using ACLs with Vlans....

Posted on 2007-11-21
21
711 Views
Last Modified: 2012-06-27
Hello All,

I have two vlans, 2 (10.229.24.0) and 8 (10.101.28.0). I'm using a cisco 3560 to do all my layer 3 traffic. Port 2 is Vlan 2 (10.229.24.254) and port 5 is VLan 8 (10.101.30.254) on the switch. What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2? But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2. Also,  I would like to be able to control what ports go out of those interfaces. For example, If I only wanted users to have access to http, https for internet and block all other ports.

Thanks in advance for your help.
0
Comment
Question by:ejaramillo
  • 11
  • 10
21 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20328652
> What would be the easiest way to use ACLs to prevent Vlan 8 talking to Vlan 2?

A standard ACL applied to the VLAN interfaces. For example:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

>But I do need a couple of server in Vlan 8 to be able to talk to hosts in Vlan 2.

Now you're talking extended ACLs

>Also,  I would like to be able to control what ports go out of those interfaces.

Same as above, extended ACL.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20329351
Can you please give me an example of the extended ACL I would use in this example?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20330482
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 80
access-list 101 permit tcp 10.229.24.254 0.0.0.0 10.101.30.254 0.0.0.0 eq 443

would only allow http and https traffic from 10.229.24.254 to 10.101.30.254. All other traffic would be denied by the implicit deny any that affects all ACLs.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20330997
Using an extended ACL how would I block all traffic from Vlan 8 to Vlan 2 with the exception of a couple of IP addresses?

Thanks for your help!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20331022
You don't need an extended ACL for that. You would use a standard ACL to allow the specific IP addresses Everything else would be denied.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20332711
If I use this ACL:

access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any
int VLAN 8
 ip access-list 1 out

This is blocking all of Vlan 8 from accessing Vlan 2. So how would I allow some IP's to access Vlan 2 using this ACL?

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20334064
access-list 1 permit 10.229.24.8 0.0.0.0
access-list 1 permit 10.229.24.12 0.0.0.0
access-list 1 permit 10.229.24.38 0.0.0.0
access-list 1 deny 10.229.24.0 0.0.0.255
access-list 1 permit any

This will allow the .8, 12 and 38 hosts. Deny everything else on the 10.229.24.0 network and allow everything else.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20337358
this would be applies on vlan 8 out?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20338254
Yes.
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20354848

Can I do this to block vlan 8 talking to vlan 2 with only a couple of IP getting through, but also only giving them access to certain ports for internet?


Int Vlan 8 out
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.8 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 10.229.24.9 0.0.0.0
access-list 101 permit tcp 10.101.28.0 0.0.0.255 any eq 80
access-list 101 deny tcp 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit any any

Second question:

What would I apply to vlan 8 inbound?

Would it be something like:

access-list 102 permit tcp any 10.101.28.0 0.0.0.255 established
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 20354912
Can you tell me what devices need to talk to what? Or what you don't want to work?
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20354982
Basically I don't want 10.101.28.0 (Vlan 8) to be able to talk to 10.229.24.0 (Vlan 2) and visa versa if I needed, but I do have a couple of users who are on vlan 2 who need to communicate with a printer which is on Vlan 8. I also have a couple of users who are on Vlan 8 who need to talk to a server on Vlan 2.  Sorry if I'm making this more confussing this it probably is.

Thanks for you help...
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355193
Sorry, one last thing:

I also want to be able to control what ports users can access going out, i.e. http, https, ftp, pop3 etc.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20355245
This will prevent vlan 8 devices from talking to vlan 2 devices.

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355312
Given your example, if there was a printer (10.101.28.1) on VLan 8 that a user (10.229.24.1) on Vlan 2  needed to access I would use this ACL:

access-list 101permit ip 10.101.24.1 0.0.0.0 10.229.24.1 0.0.0.0
access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0
access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255
access-list 102 permit ip any any

int vlan 2
 ip access-group 101 out
int vlan 8
 ip access-group 102 out
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20355335
Close. :-)




access-list 101 permit ip 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 permit ip 10.229.24.1 0.0.0.0 10.101.28.1 0.0.0.0

access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255

access-list 102 permit ip any any
 

int vlan 2

 ip access-group 101 out

int vlan 8

 ip access-group 102 out

Open in new window

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355362
Thanks for all your help! I was really close. =)

One last thing, sorry I know you want to close this out but what if I also wanted to only have certain port open outbound like http, https, ftp. I don't want them to have access to all ports outbound, ya know.

What do you think?

Thanks again!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20355407
This would allow 10.101.28.1 to open a web page on 10.229.24.1
And allow 10.229.24.9 to telnet to 10.101.28.6

Keep in mind that stopping the response is a bit overkill. If you stop the request, that's usually more than adequate in a closed network.
access-list 101 permit tcp 10.101.28.1 0.0.0.0 10.229.24.1 0.0.0.0 eq 80

access-list 101 permit tcp 10.101.28.6 0.0.0.0 eq 23 10.229.24.9 0.0.0.0 

access-list 101 deny ip 10.101.28.0 0.0.0.255 10.229.24.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 permit tcp 10.229.24.1 0.0.0.0 eq 80 10.101.28.1 0.0.0.0

access-list 102 permit tcp 10.229.24.9 0.0.0.0 10.101.28.6 0.0.0.0 eq 23

access-list 102 deny ip 10.229.24.0 0.0.0.255 10.101.28.0 0.0.0.255

access-list 102 permit ip any any

 

int vlan 2

 ip access-group 101 out

int vlan 8

 ip access-group 102 out

Open in new window

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20355429
Well I'm not really looking to block host to host, but more for outbound to the internet. Let's say I only want to allow my users to go out to the internet and being able to access ftp sites and that's all. I don't want them to be able to go out to the internet to access yahoo messenger which is on a much higher port.. Does that make sense? Do you kind of get what I'm trying to get at?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20358118
The best way to approach this is to understand how the ACLs work. That way you'll be able to write them to fit your requirements.

access-list 101 <action> <protocol> <source add/mask> eq <source port> <dest add/mask> eq <dest port>

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.16.1.8 0.0.0.0 eq 80

would allow 192.168.1.0 network to open a web page on the server at 172.16.1.8

Make sense?
0
 
LVL 1

Author Comment

by:ejaramillo
ID: 20358130
Got it! Thanks for all your help!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now