Cisco 3750 Vlan access-list questions

I'm trying to set up an Access-list on our core 3750 switch stack that will segment one vlan traffic from all of our other vlans. The thing that is confusing me is how to segregate traffic between this VLAN but allow DHCP and DNS into the VLAN that I want to segregate. Hopefully that made sense.

VLAN 1 has my DNS and DHCP servers
VLAN 3 is the VLAN that I want to seperate

I'll paste my show run of my vlan setup. I didn't include my access-list output because I think that I will be better off starting over fresh.
interface Vlan1
 ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
 ip address 10.16.46.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan3
 description Public Vlan
 ip address 10.16.45.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan4
 ip address 10.16.52.1 255.255.254.0
 ip helper-address 10.16.48.34
!
interface Vlan5
 ip address 10.16.54.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan6
 description Test VLAN
 ip address 10.16.55.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan101
 ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!

Open in new window

LVL 3
governor_arnoldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
>VLAN 3 is the VLAN that I want to seperate

Separate from what? Or put another way, what should VLAN 3 be able to access?

0
governor_arnoldAuthor Commented:
I want vlan 3 to be able to access the internet and nothing else. I don't want VLAN 3 to be able to access any of the computers or devices located on the other VLANs.
0
Don JohnstonInstructorCommented:
The following ACL will prevent VLAN 3 from communicating with 2, 4, 5, 6 and 101. All other destinations will be allowed.


access-list 1 deny 10.16.46.0 0.0.0.255
access-list 1 deny 10.16.52.0 0.0.1.255
access-list 1 deny 10.16.54.0 0.0.1.255
access-list 1 deny 10.16.50.0 0.0.0.255
access-list 1 permit any
int vlan 3
 ip access-group 1 out

Open in new window

0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

governor_arnoldAuthor Commented:
Is there any way for me to block traffic to vlan 1 but allow DHCP, DNS port 80 and port 443 traffic to make it through?

0
Don JohnstonInstructorCommented:
Yes, but it will require an extended ACL.

access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 53
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq 53
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 80
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny ip any 10.16.46.0 0.0.0.255
access-list 101 deny ip any 10.16.52.0 0.0.1.255
access-list 101 deny ip any 10.16.54.0 0.0.1.255
access-list 101 deny ip any 10.16.50.0 0.0.0.255
access-list 101 permit ip any any
 
int vlan 3
 ip access-group 101 in

Open in new window

0
governor_arnoldAuthor Commented:
Thanks for your quick responses donjohnston!

I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3. Access to the other VLANs is denied. This is my new show run output
!
interface Vlan1
 ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
 ip address 10.16.46.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan3
 ip address 10.16.45.1 255.255.255.0
 ip access-group 101 in
 ip helper-address 10.16.48.34
!
interface Vlan4
 ip address 10.16.52.1 255.255.254.0
 ip helper-address 10.16.48.34
!
interface Vlan5
 ip address 10.16.54.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan6
 ip address 10.16.55.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan101
 ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny   ip any 10.16.46.0 0.0.0.255
access-list 101 deny   ip any 10.16.52.0 0.0.1.255
access-list 101 deny   ip any 10.16.54.0 0.0.1.255
access-list 101 deny   ip any 10.16.50.0 0.0.0.255
access-list 101 permit ip any any

Open in new window

0
decoleurCommented:
you need to add a deny for vlan 1 in the access-list 101
access-list 101 deny ip any 10.16.48.0 0.0.1.255

making the whole ACL look like:
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny   ip any 10.16.46.0 0.0.0.255
access-list 101 deny ip any 10.16.48.0 0.0.1.255
access-list 101 deny   ip any 10.16.52.0 0.0.1.255
access-list 101 deny   ip any 10.16.54.0 0.0.1.255
access-list 101 deny   ip any 10.16.50.0 0.0.0.255
access-list 101 permit ip any any

hope this helps,

-t
0
Don JohnstonInstructorCommented:
>I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3

What (specifically) are you able to do that you shouldn't?
0
decoleurCommented:
donjohnston-

the requirement was to only allow dns and web access to vlan 1 which you allowed with your initial permit statements, but you do not block the rest to that vlan with the permit ip any any at the end.

does that make sense?

-t
0
governor_arnoldAuthor Commented:
So it should look like this?
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny   ip any 10.16.46.0 0.0.0.255
access-list 101 deny   ip any 10.16.48.0 0.0.1.255
access-list 101 deny   ip any 10.16.52.0 0.0.1.255
access-list 101 deny   ip any 10.16.54.0 0.0.1.255
access-list 101 deny   ip any 10.16.50.0 0.0.0.255
int vlan 3
 ip access-group 1 out

Open in new window

0
Don JohnstonInstructorCommented:
Yep. Missed the "deny ip any 10.16.48.0 0.0.1.255"
0
governor_arnoldAuthor Commented:
"deny ip any 10.16.48.0 0.0.1.255" worked to block traffic to vlan 1. but now I have a different problem. The client that I'm testing in VLAN 3 is getting a DHCP IP address just fine, but DNS isn't working. When I try to do an NSLOOKUP I get the message:

"***Default servers are not available
Server: Unknown
Address: 10.16.48.17"

I also can't access websites by their IP address either.

It seems like my eq statements are being ignored?
0
Don JohnstonInstructorCommented:
Your ACL is applied outbound. It should be inbound.

I didn't notice you changed that.
0
governor_arnoldAuthor Commented:
Ok so I switched it back to inbound and now I lost my dhcp. I tried adding the lines:
"access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq bootps" and
"access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 67"
but that didn't help me get an address.

0
Don JohnstonInstructorCommented:
Yeah, that's another one I overlooked.

You have to remember that the DHCP request starts out as a broadcast. So you can either add a line

access-list 101 permit udp any 255.255.255.255 0.0.0.0 eq bootps

or

change the existing line with

access-list 101 permit udp any any eq bootps

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
governor_arnoldAuthor Commented:
The DHCP and DNS are working just fine, but I couldn't view webpages until I changed the WWW and 443 lines to:
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443

0
governor_arnoldAuthor Commented:
Thanks for all your help on this one experts. You saved me from a lot of headaches and frustration. I appreciate what you mean to the community.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.