Solved

I need help building ACLs to control traffic between VLANs ...

Posted on 2008-06-16
4
298 Views
Last Modified: 2008-09-06
Hello all,

I'm completely new to building ACLs on a Catalyst switch.  That said, I have experience doing so on the PIX platform so I have some understanding of concepts, etc.

Here is what I'm trying to do:
There are two VLANs in questions -
the first can be considered the "main" vlan (id = 2, subnet 192.168.50.x) where all the clients and some servers live.
the second can be considered the "web" vlan (id = 3, subnet 192.168.51.x) where all our web servers live.

Right now, since IP Routing is enabled on the switch, these two VLANs can talk to each other.  I need to be able to limit this like so:

No one from the Main vlan should be able to talk to anyone in the Web vlan unless it's FTP or RDP.
No one from the Web vlan should be able to talk to anyone in Main vlan except our DB server on port 1433 only.

Does that make sense?  Many thanks for any help you folks can provide ...
0
Comment
Question by:ustda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21795695
Something similar to this should work.  (check for typo's, and apply access-list numbers as you like)

access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 20
access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 21
access list 100 permit tcp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255 eq 3389
access list 100 deny ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access list 100 permit ip any any



access list 101 permit tcp 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 1433
access list 101 deny ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access list 101 permit ip any any



int vlan1
access-group 100 in

int vlan 2
access-group 101 in

0
 

Author Comment

by:ustda
ID: 21795839
This is great, thanks mabutterfield!  One question though - how come you end each list with the permit ip any any statment?

Given that it's below the deny statement, nothing would ever get that far, right?
0
 
LVL 7

Accepted Solution

by:
mabutterfield earned 250 total points
ID: 21795896
access list 100 line:

1 permit internal to web ftp
2 permit internal to web ftp
3 permit internal to web rdp
4 prevents all other traffic to web network FROM internal
5 allow all other traffic (outbound to internet, etc)

access list 101 line:

1 allow web to access SQL
2 prevent web from accessing internal
3 allow web outbound to internet / rest of world

you could also add (before the deny lines)
access list 100 permit icmp 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
which would allow icmp (ping) traffic.

You could also tighten down the acls more by restricting them to hosts.  I would recommend changing access list 101 line 1 to:

access list 101 permit tcp 192.168.51.0 0.0.0.255 host <ip of SQL server> eq 1433

This would prevent the web server from accessing database servers that it's not authorized for.




0
 

Author Comment

by:ustda
ID: 21795962
This is perfect - thank's a million mabutterfield, it all makes sense.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 151
Which Switch is Switch - improving performance 9 74
(Same as parent Folder) Host (A) IP: x.x.x.x 7 43
Voice QoS 3Com 5500G 5 31
As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question