?
Solved

VLAN ACL Configuration Help.

Posted on 2008-09-30
4
Medium Priority
?
893 Views
Last Modified: 2012-05-05
I have a Cisco 4503 switch with Catalyst 2960G attached to it.  I also have 2 different VLAN's that I want to use ACL's to control traffic.  

Server VLAN 10
Client Computer VLAN 15

I want to allow VLAN 15 access to the VLAN 10 with access to only the following ports (TCP and UDP): 80, 443, 53, 3389, 1494, 135 - 139
*ANY access to IP 10.0.0.4
*LDAP access to IP 10.0.0.2
*LDAP access to IP 10.0.0.5
*Kerberos access to IP 10.0.0.2
*Kerberos access to IP 10.0.0.5

I'm not sure what commands to use to create this config.  Thanks for the help!
0
Comment
Question by:SihleIns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 1000 total points
ID: 22606073



On VLAN 10 add:  

ip access-group 100 in



And the access group would look like

access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139

access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139



For the rest of these, I assumed the IP's were hosts in the VLAN 10 server subnet.  

access-list 100 permit ip any host 10.0.0.4

Note: Ldap uses 636 or 389 depending on whether or not its a secure channel
access-list 100 permit tcp any host 10.0.0.2 eq 636
access-list 100 permit tcp any host 10.0.0.5 eq 636
access-list 100 permit tcp any host 10.0.0.2 eq 389
access-list 100 permit tcp any host 10.0.0.5 eq 389

Note: according to http://support.microsoft.com/kb/832017   Kerberos requires tcp udp 88
access-list 100 permit tcp any host 10.0.0.2 eq 88
access-list 100 permit tcp any host 10.0.0.5 eq 88

access-list 100 permit udp any host 10.0.0.2 eq 88
access-list 100 permit udp any host 10.0.0.5 eq 88





And I think that would cover it.    


access-list 100 permit ip
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606087
Opps - I left that last line in there - you dont need it.  
access-list 100 permit ip
0
 

Author Closing Comment

by:SihleIns
ID: 31501542
Thanks for your help.  I would assume that there is always a deny all at the end which means I would have to add these same commands to the ACL for additonal VLAN to have to VLAN 10.  Is that correct?  email me back at WPlotkin@Sihle.com
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22606526
This is filtering inbound to vlan 10 so you would need to add new lines if you had additonal subnet to allow into vlan 10.....
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question