Solved

VLAN ACL Configuration Help.

Posted on 2008-09-30
4
871 Views
Last Modified: 2012-05-05
I have a Cisco 4503 switch with Catalyst 2960G attached to it.  I also have 2 different VLAN's that I want to use ACL's to control traffic.  

Server VLAN 10
Client Computer VLAN 15

I want to allow VLAN 15 access to the VLAN 10 with access to only the following ports (TCP and UDP): 80, 443, 53, 3389, 1494, 135 - 139
*ANY access to IP 10.0.0.4
*LDAP access to IP 10.0.0.2
*LDAP access to IP 10.0.0.5
*Kerberos access to IP 10.0.0.2
*Kerberos access to IP 10.0.0.5

I'm not sure what commands to use to create this config.  Thanks for the help!
0
Comment
Question by:SihleIns
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 22606073



On VLAN 10 add:  

ip access-group 100 in



And the access group would look like

access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139

access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139



For the rest of these, I assumed the IP's were hosts in the VLAN 10 server subnet.  

access-list 100 permit ip any host 10.0.0.4

Note: Ldap uses 636 or 389 depending on whether or not its a secure channel
access-list 100 permit tcp any host 10.0.0.2 eq 636
access-list 100 permit tcp any host 10.0.0.5 eq 636
access-list 100 permit tcp any host 10.0.0.2 eq 389
access-list 100 permit tcp any host 10.0.0.5 eq 389

Note: according to http://support.microsoft.com/kb/832017   Kerberos requires tcp udp 88
access-list 100 permit tcp any host 10.0.0.2 eq 88
access-list 100 permit tcp any host 10.0.0.5 eq 88

access-list 100 permit udp any host 10.0.0.2 eq 88
access-list 100 permit udp any host 10.0.0.5 eq 88





And I think that would cover it.    


access-list 100 permit ip
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606087
Opps - I left that last line in there - you dont need it.  
access-list 100 permit ip
0
 

Author Closing Comment

by:SihleIns
ID: 31501542
Thanks for your help.  I would assume that there is always a deny all at the end which means I would have to add these same commands to the ACL for additonal VLAN to have to VLAN 10.  Is that correct?  email me back at WPlotkin@Sihle.com
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606526
This is filtering inbound to vlan 10 so you would need to add new lines if you had additonal subnet to allow into vlan 10.....
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now