Link to home
Start Free TrialLog in
Avatar of governor_arnold
governor_arnoldFlag for United States of America

asked on

Cisco 3750 Vlan access-list questions

I'm trying to set up an Access-list on our core 3750 switch stack that will segment one vlan traffic from all of our other vlans. The thing that is confusing me is how to segregate traffic between this VLAN but allow DHCP and DNS into the VLAN that I want to segregate. Hopefully that made sense.

VLAN 1 has my DNS and DHCP servers
VLAN 3 is the VLAN that I want to seperate

I'll paste my show run of my vlan setup. I didn't include my access-list output because I think that I will be better off starting over fresh.
interface Vlan1
 ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
 ip address 10.16.46.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan3
 description Public Vlan
 ip address 10.16.45.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan4
 ip address 10.16.52.1 255.255.254.0
 ip helper-address 10.16.48.34
!
interface Vlan5
 ip address 10.16.54.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan6
 description Test VLAN
 ip address 10.16.55.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan101
 ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!

Open in new window

Avatar of Don Johnston
Don Johnston
Flag of United States of America image

>VLAN 3 is the VLAN that I want to seperate

Separate from what? Or put another way, what should VLAN 3 be able to access?

Avatar of governor_arnold

ASKER

I want vlan 3 to be able to access the internet and nothing else. I don't want VLAN 3 to be able to access any of the computers or devices located on the other VLANs.
The following ACL will prevent VLAN 3 from communicating with 2, 4, 5, 6 and 101. All other destinations will be allowed.


access-list 1 deny 10.16.46.0 0.0.0.255
access-list 1 deny 10.16.52.0 0.0.1.255
access-list 1 deny 10.16.54.0 0.0.1.255
access-list 1 deny 10.16.50.0 0.0.0.255
access-list 1 permit any
int vlan 3
 ip access-group 1 out

Open in new window

Is there any way for me to block traffic to vlan 1 but allow DHCP, DNS port 80 and port 443 traffic to make it through?

SOLUTION
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for your quick responses donjohnston!

I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3. Access to the other VLANs is denied. This is my new show run output
!
interface Vlan1
 ip address 10.16.48.11 255.255.254.0
!
interface Vlan2
 ip address 10.16.46.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan3
 ip address 10.16.45.1 255.255.255.0
 ip access-group 101 in
 ip helper-address 10.16.48.34
!
interface Vlan4
 ip address 10.16.52.1 255.255.254.0
 ip helper-address 10.16.48.34
!
interface Vlan5
 ip address 10.16.54.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan6
 ip address 10.16.55.1 255.255.255.0
 ip helper-address 10.16.48.34
!
interface Vlan101
 ip address 10.16.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.16.48.41
ip http server
ip http authentication local
ip http secure-server
!
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny   ip any 10.16.46.0 0.0.0.255
access-list 101 deny   ip any 10.16.52.0 0.0.1.255
access-list 101 deny   ip any 10.16.54.0 0.0.1.255
access-list 101 deny   ip any 10.16.50.0 0.0.0.255
access-list 101 permit ip any any

Open in new window

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
>I added your list to my switch and for some reason I can still access all of VLAN 1 from VLAN 3

What (specifically) are you able to do that you shouldn't?
Avatar of decoleur
decoleur

donjohnston-

the requirement was to only allow dns and web access to vlan 1 which you allowed with your initial permit statements, but you do not block the rest to that vlan with the permit ip any any at the end.

does that make sense?

-t
So it should look like this?
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq domain
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq www
access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 443
access-list 101 deny   ip any 10.16.46.0 0.0.0.255
access-list 101 deny   ip any 10.16.48.0 0.0.1.255
access-list 101 deny   ip any 10.16.52.0 0.0.1.255
access-list 101 deny   ip any 10.16.54.0 0.0.1.255
access-list 101 deny   ip any 10.16.50.0 0.0.0.255
int vlan 3
 ip access-group 1 out

Open in new window

Yep. Missed the "deny ip any 10.16.48.0 0.0.1.255"
"deny ip any 10.16.48.0 0.0.1.255" worked to block traffic to vlan 1. but now I have a different problem. The client that I'm testing in VLAN 3 is getting a DHCP IP address just fine, but DNS isn't working. When I try to do an NSLOOKUP I get the message:

"***Default servers are not available
Server: Unknown
Address: 10.16.48.17"

I also can't access websites by their IP address either.

It seems like my eq statements are being ignored?
Your ACL is applied outbound. It should be inbound.

I didn't notice you changed that.
Ok so I switched it back to inbound and now I lost my dhcp. I tried adding the lines:
"access-list 101 permit udp any 10.16.48.0 0.0.1.255 eq bootps" and
"access-list 101 permit tcp any 10.16.48.0 0.0.1.255 eq 67"
but that didn't help me get an address.

ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The DHCP and DNS are working just fine, but I couldn't view webpages until I changed the WWW and 443 lines to:
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443

Thanks for all your help on this one experts. You saved me from a lot of headaches and frustration. I appreciate what you mean to the community.