Solved

Please help with access-list on a 3500 series cat?

Posted on 2007-11-21
13
355 Views
Last Modified: 2012-06-27
Hello Experts,

I would really like some advice on how to create an access list that will provide the following:

Provide DNS and DHCP from one subnet  to 5 boxes on their own vlan
pc's have Full access to one server eg "server 1"
PC are denied access to another specific "server 2", and everything else.

For example purposes I will use ip addresses 10.10.10.10 for "server 1", and 10.100 for "server 2"
the PC's will have 192.168.1.1 through 5 for ip's. The DHCP and DNS server will be 192.168.1.100.

I have been reading some of the other entries in this forum, but I could benefit from some specific advice.

thanks
In advance
Ben

0
Comment
Question by:workcover
  • 7
  • 6
13 Comments
 
LVL 4

Expert Comment

by:CCIE8122
Comment Utility
First no access list will have any effect on traffic the remains within a VLAN (i.e., traffic between PCs, DNS server, and DHCP sever in your example).  The reason for this is that such traffic will never traverse the router as it remains on the local subnet (never gets sent to the default gateway because a local device responds to the ARP request).

That said, assuming your PC VLAN is 10, server1 VLAN is 100, and server2 VLAN is 200, the attached code accomplishes what you are after.

Note that this accomplishes *exactly* what you specified.  Hosts 192.168.1.1-5 may access 10.10.10.10 and anything else on the 192.168.1.0 network, but nothing else, not the Internet, not server2, not anything else within your network.  And everything else on the 192.168.1.0 network except .1-.5 (assuming that segment to be a /24), has full access to the world.

If this is not the desired behavior, you could add some specificity, and we can modify the ACL accordingly.

HTH

kr
ip access-list extended VLAN10_IN

 permit ip host 192.168.1.1 host 10.10.10.10

 permit ip 192.168.1.2 0.0.0.1 host 10.10.10.10

 permit ip 192.168.1.4 0.0.0.1 host 10.10.10.10

 permit ip 192.168.1.0 0.0.0.255 any

 

interface vlan10

 ip access-group 10 in

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
Comment Utility
oops, line 8 should have been:

ip access-group VLAN10_IN in
0
 
LVL 1

Author Comment

by:workcover
Comment Utility
thanks very much for your help. I may have not been specific, but there was no gateway involved in this scenario. I just wanted the switch to perform the ACL function...
0
 
LVL 1

Author Comment

by:workcover
Comment Utility
Will I need to have a L3 switch?
0
 
LVL 1

Author Comment

by:workcover
Comment Utility
Sorry for the multiple responses, but i would like to clarify this a little more. the group of PC's will need to access 3 servers and be blocked from one specifically.  

PC's 192.168.30.1-5  255.255.255.0

access to:
ADC1 - 192.168.1.1 - DHCP,DNS
ADC2 - 192.168.1.10 - DHCP, DNS
SVR1 - 192.168.1.100 - MAPPED DRIVE

DENY
SVR2 - 192.168.1.200 - NO ACCESS

thanks again.

0
 
LVL 4

Expert Comment

by:CCIE8122
Comment Utility
Only way to do this is at layer-three.  A layer-two switch will not even examine the IP header when forwarding frames.  Even if it could, you wouldnt want to, as it would degrade performance on the switch.  

Really the only way to do this in the network is to put SVR2 on a different VLAN and control access with an ACL on the router/switch that routes between the two VLANs.  Butf rom the sound of things, that is going to cost you money.  The other option is put some sort of software firewall that will filter by IP address on SVR2 and control access that way.  Problem with that is it adds extra load to SVR2's proc.

Sorry this is not the answer you wanted.

HTH

kr
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:workcover
Comment Utility
can i not deny access specifically to 192.168.1.200 after placing an access list on the switch? I can change the PC to a different network if required like 10.10.10.1?? No easy answer?
0
 
LVL 4

Expert Comment

by:CCIE8122
Comment Utility
The problem is that a layer-two switch is not going to inspect layer-three protocol headers, and therefore cannot filter traffic on that criteria.  The only way to do filter by layer-three protocol header is with a device at layer-three (router or layer-three switch) that lies *between* the two devices -- in this case a router would need to be between the PCs and SVR2.

As I am l looking at your post with the address detail, it looks like I you are stating the PCs are in fact on a different layer-three network than SVR2 (192.168.30.0/24 instead of 192.168.1.0/24 as you originally indicated).  Is that the case?

If indeed SVR2 is on a different network than the PCs, you must have some sort of router/layer-three device routing between 192.168.1.0/24 and 192.168.30.0/24.  If that is truly the case, then filtering by IP address should be no problem.  Just modify the code above and you are good to go.  If you want to verify the addresses of all devices and the physical topology and post them, I can give you a more exact config.

If on the other hand, the devices are all on the same network, you cannot filter by IP address.  I suppose you could determine the MAC addresses of the PCs and try a layer-two ACL on the switchport that connects to SVR2, but that would be kind of nasty, and it wouldnt filter out broadcast traffic sourced by the SVR2 (i.e., the PCs would still see bcast/mcast traffic from SVR2).
0
 
LVL 1

Author Comment

by:workcover
Comment Utility
Thanks for the reply, The only part of the network that does not exist are the 5 PC's. Currently there is a full blown network in place with router, cat 6000's ect running a whole collection of vlans. I want to add these 5 pc's on whatever network and block them from SVR2, while accessing the other 3 freely.

As these PC's will have very little use,  my topology will have a switch (Layer 3 I guess) running from one of the Cat6K's gig up link.
0
 
LVL 4

Accepted Solution

by:
CCIE8122 earned 100 total points
Comment Utility
yeah, so i would trunk from the 3500 to the 6k, leave the 3500 as a layer-two switch only, create the layer-three PC VLAN on the 6k, and ACL that VLAN as necessary (sample config below).  Then you just assign the PCs to the VLAN (in my example, VLAN 30) on any switch, and they will be denied access to 192.168.1.200, but allowed to everything else.

HTH

kr♦
vlan 30 name PC_LAN
 

ip access-list extended VLAN30_IN

 deny ip host 192.168.30.1 host 192.168.1.200

 deny ip 192.168.30.2 0.0.0.1 host 192.168.1.200

 deny ip 192.168.30.4 0.0.0.1 host 192.168.1.200

 deny ip 192.168.30.0 0.0.0.255 any

 permit ip any any

 

interface vlan30

 ip access-group VLAN30_IN in

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
Comment Utility
note, it is probably obvious, but just in case . . . that config sample would be on the 6k
0
 
LVL 1

Author Closing Comment

by:workcover
Comment Utility
I have not implemented this, however this is a good base to start from.
0
 
LVL 1

Author Comment

by:workcover
Comment Utility
thanks very much I will keep you posted.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now