governor_arnold
asked on
Cisco 3750 Vlan access-list questions
I'm trying to set up an Access-list on our core 3750 switch stack that will segment one vlan traffic from all of our other vlans. The thing that is confusing me is how to segregate traffic between this VLAN but allow DHCP and DNS into the VLAN that I want to segregate. Hopefully that made sense.
VLAN 1 has my DNS and DHCP servers
VLAN 3 is the VLAN that I want to seperate
I'll paste my show run of my vlan setup. I didn't include my access-list output because I think that I will be better off starting over fresh.
VLAN 1 has my DNS and DHCP servers
VLAN 3 is the VLAN that I want to seperate
I'll paste my show run of my vlan setup. I didn't include my access-list output because I think that I will be better off starting over fresh.
interface Vlan1
ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
ip address 10.16.46.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan3
description Public Vlan
ip address 10.16.45.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan4
ip address 10.16.52.1 255.255.254.0
ip helper-address 10.16.48.34
!
interface Vlan5
ip address 10.16.54.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan6
description Test VLAN
ip address 10.16.55.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan101
ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!
ASKER
I want vlan 3 to be able to access the internet and nothing else. I don't want VLAN 3 to be able to access any of the computers or devices located on the other VLANs.
The following ACL will prevent VLAN 3 from communicating with 2, 4, 5, 6 and 101. All other destinations will be allowed.
access-list 1 deny 10.16.46.0 0.0.0.255
access-list 1 deny 10.16.52.0 0.0.1.255
access-list 1 deny 10.16.54.0 0.0.1.255
access-list 1 deny 10.16.50.0 0.0.0.255
access-list 1 permit any
int vlan 3
ip access-group 1 out
ASKER
Is there any way for me to block traffic to vlan 1 but allow DHCP, DNS port 80 and port 443 traffic to make it through?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your quick responses donjohnston!
I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3. Access to the other VLANs is denied. This is my new show run output
I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3. Access to the other VLANs is denied. This is my new show run output
!
interface Vlan1
ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
ip address 10.16.46.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan3
ip address 10.16.45.1 255.255.255.0
ip access-group 101 in
ip helper-address 10.16.48.34
!
interface Vlan4
ip address 10.16.52.1 255.255.254.0
ip helper-address 10.16.48.34
!
interface Vlan5
ip address 10.16.54.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan6
ip address 10.16.55.1 255.255.255.0
ip helper-address 10.16.48.34
!
interface Vlan101
ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny ip any 10.16.46.0 0.0.0.255
access-list 101 deny ip any 10.16.52.0 0.0.1.255
access-list 101 deny ip any 10.16.54.0 0.0.1.255
access-list 101 deny ip any 10.16.50.0 0.0.0.255
access-list 101 permit ip any any
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3
What (specifically) are you able to do that you shouldn't?
What (specifically) are you able to do that you shouldn't?
donjohnston-
the requirement was to only allow dns and web access to vlan 1 which you allowed with your initial permit statements, but you do not block the rest to that vlan with the permit ip any any at the end.
does that make sense?
-t
the requirement was to only allow dns and web access to vlan 1 which you allowed with your initial permit statements, but you do not block the rest to that vlan with the permit ip any any at the end.
does that make sense?
-t
ASKER
So it should look like this?
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny ip any 10.16.46.0 0.0.0.255
access-list 101 deny ip any 10.16.48.0 0.0.1.255
access-list 101 deny ip any 10.16.52.0 0.0.1.255
access-list 101 deny ip any 10.16.54.0 0.0.1.255
access-list 101 deny ip any 10.16.50.0 0.0.0.255
int vlan 3
ip access-group 1 out
Yep. Missed the "deny ip any 10.16.48.0 0.0.1.255"
ASKER
"deny ip any 10.16.48.0 0.0.1.255" worked to block traffic to vlan 1. but now I have a different problem. The client that I'm testing in VLAN 3 is getting a DHCP IP address just fine, but DNS isn't working. When I try to do an NSLOOKUP I get the message:
"***Default servers are not available
Server: Unknown
Address: 10.16.48.17"
I also can't access websites by their IP address either.
It seems like my eq statements are being ignored?
"***Default servers are not available
Server: Unknown
Address: 10.16.48.17"
I also can't access websites by their IP address either.
It seems like my eq statements are being ignored?
Your ACL is applied outbound. It should be inbound.
I didn't notice you changed that.
I didn't notice you changed that.
ASKER
Ok so I switched it back to inbound and now I lost my dhcp. I tried adding the lines:
"access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq bootps" and
"access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 67"
but that didn't help me get an address.
"access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq bootps" and
"access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 67"
but that didn't help me get an address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The DHCP and DNS are working just fine, but I couldn't view webpages until I changed the WWW and 443 lines to:
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
ASKER
Thanks for all your help on this one experts. You saved me from a lot of headaches and frustration. I appreciate what you mean to the community.
Separate from what? Or put another way, what should VLAN 3 be able to access?