Solved

VLAN ACL Configuration Help.

Posted on 2008-09-30
4
878 Views
Last Modified: 2012-05-05
I have a Cisco 4503 switch with Catalyst 2960G attached to it.  I also have 2 different VLAN's that I want to use ACL's to control traffic.  

Server VLAN 10
Client Computer VLAN 15

I want to allow VLAN 15 access to the VLAN 10 with access to only the following ports (TCP and UDP): 80, 443, 53, 3389, 1494, 135 - 139
*ANY access to IP 10.0.0.4
*LDAP access to IP 10.0.0.2
*LDAP access to IP 10.0.0.5
*Kerberos access to IP 10.0.0.2
*Kerberos access to IP 10.0.0.5

I'm not sure what commands to use to create this config.  Thanks for the help!
0
Comment
Question by:SihleIns
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 22606073



On VLAN 10 add:  

ip access-group 100 in



And the access group would look like

access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139

access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139



For the rest of these, I assumed the IP's were hosts in the VLAN 10 server subnet.  

access-list 100 permit ip any host 10.0.0.4

Note: Ldap uses 636 or 389 depending on whether or not its a secure channel
access-list 100 permit tcp any host 10.0.0.2 eq 636
access-list 100 permit tcp any host 10.0.0.5 eq 636
access-list 100 permit tcp any host 10.0.0.2 eq 389
access-list 100 permit tcp any host 10.0.0.5 eq 389

Note: according to http://support.microsoft.com/kb/832017   Kerberos requires tcp udp 88
access-list 100 permit tcp any host 10.0.0.2 eq 88
access-list 100 permit tcp any host 10.0.0.5 eq 88

access-list 100 permit udp any host 10.0.0.2 eq 88
access-list 100 permit udp any host 10.0.0.5 eq 88





And I think that would cover it.    


access-list 100 permit ip
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606087
Opps - I left that last line in there - you dont need it.  
access-list 100 permit ip
0
 

Author Closing Comment

by:SihleIns
ID: 31501542
Thanks for your help.  I would assume that there is always a deny all at the end which means I would have to add these same commands to the ACL for additonal VLAN to have to VLAN 10.  Is that correct?  email me back at WPlotkin@Sihle.com
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606526
This is filtering inbound to vlan 10 so you would need to add new lines if you had additonal subnet to allow into vlan 10.....
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now