Solved

VLAN ACL Configuration Help.

Posted on 2008-09-30
4
882 Views
Last Modified: 2012-05-05
I have a Cisco 4503 switch with Catalyst 2960G attached to it.  I also have 2 different VLAN's that I want to use ACL's to control traffic.  

Server VLAN 10
Client Computer VLAN 15

I want to allow VLAN 15 access to the VLAN 10 with access to only the following ports (TCP and UDP): 80, 443, 53, 3389, 1494, 135 - 139
*ANY access to IP 10.0.0.4
*LDAP access to IP 10.0.0.2
*LDAP access to IP 10.0.0.5
*Kerberos access to IP 10.0.0.2
*Kerberos access to IP 10.0.0.5

I'm not sure what commands to use to create this config.  Thanks for the help!
0
Comment
Question by:SihleIns
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 22606073



On VLAN 10 add:  

ip access-group 100 in



And the access group would look like

access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139

access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139



For the rest of these, I assumed the IP's were hosts in the VLAN 10 server subnet.  

access-list 100 permit ip any host 10.0.0.4

Note: Ldap uses 636 or 389 depending on whether or not its a secure channel
access-list 100 permit tcp any host 10.0.0.2 eq 636
access-list 100 permit tcp any host 10.0.0.5 eq 636
access-list 100 permit tcp any host 10.0.0.2 eq 389
access-list 100 permit tcp any host 10.0.0.5 eq 389

Note: according to http://support.microsoft.com/kb/832017   Kerberos requires tcp udp 88
access-list 100 permit tcp any host 10.0.0.2 eq 88
access-list 100 permit tcp any host 10.0.0.5 eq 88

access-list 100 permit udp any host 10.0.0.2 eq 88
access-list 100 permit udp any host 10.0.0.5 eq 88





And I think that would cover it.    


access-list 100 permit ip
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606087
Opps - I left that last line in there - you dont need it.  
access-list 100 permit ip
0
 

Author Closing Comment

by:SihleIns
ID: 31501542
Thanks for your help.  I would assume that there is always a deny all at the end which means I would have to add these same commands to the ACL for additonal VLAN to have to VLAN 10.  Is that correct?  email me back at WPlotkin@Sihle.com
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606526
This is filtering inbound to vlan 10 so you would need to add new lines if you had additonal subnet to allow into vlan 10.....
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question