Solved

ACLs for switches

Posted on 2009-07-11
6
505 Views
Last Modified: 2012-05-07
CISCO 3750 12.2(25) SEE2
Cisco 2950  12.1.(22) EA2

We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions.

I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them  to specific ports  and allow them access only to an specific host on port 80 and 443.

If it makes any difference I will throw these 2 scenarios in:

1- destination host and guest users connected physically to ports in the same switch

2- destination host  and guest users connected in different switches uplinked  with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?

Is this possible, please provide an example of how it would like in the configuration

Thanks for your help

JAR
0
Comment
Question by:JohnRamz
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Will the source and destination devices be on the same VLAN?

If not, then a routed ACL will be what you need.

If they are on the same VLAN, you will need to use a VLAN ACL (VACL).

0
 

Author Comment

by:JohnRamz
Comment Utility
donjohnston

They are on the same VLAN (native VLAN 1). How do I do it? Would you provide sort of a template?

Thanks

0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
Comment Utility
The following VACL will allow devices 192.168.1.16-31 to access the server at 192.168.1.8 for web, smtp and pop3. Those 15 devices can also ping everything. No other traffic from those devices is permitted.

However, all traffic from other addresses is permitted.


ip access-list extended guest-allowed

 permit tcp 192.168.1.16 0.0.0.15 host 192.168.1.8 eq 80

 permit tcp 192.168.1.16 0.0.0.15 host 192.168.1.8 eq 25

 permit tcp 192.168.1.16 0.0.0.15 host 192.168.1.8 eq 110

 permit icmp 192.168.1.16 0.0.0.15 any

ip access-list extended guest-denied

 permit ip 192.168.1.16 0.0.0.15 any

!

vlan access-map outsiders 10

 match ip address guest-allowed

 action forward

vlan access-map outsiders 20

 match ip address guest-denied

 action drop

vlan access-map outsiders 30

 action permit

!

vlan filter outsiders vlan-list 99

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:JohnRamz
Comment Utility
donjohnston

Thanks for your reply.very insightful

 I am thinking that creating a separate VLAN would work better for this and I would not have to assign them IP addresses manually. I already have a a separate VLAN with a DHCP server that hands out IP addresses on that subnet.  I know very little about ACLs, so I appreciate if you post another config with the scenario I just suggested, You mentioned in your first post routed ACLs, those might come into play here I guess.

Also would this work on the 3750?

Thanks

0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
Comment Utility
Yes. If the devices are on different VLAN's, you would create traditional ACLs and apply them to the VLAN interface.

And yes, you can do this on a 3750.
0
 

Author Comment

by:JohnRamz
Comment Utility
donjohnston:

I was waiting for you config template for the last scenario but I got to it and solved the issue doing it this way:

! Created a VLAn

interface Vlan700
ip address 192.168.1.254 255.255.255.0

! Created the access list to allow them access to a host and the Internet

ip access-list extended GUEST_ACCESS
permit tcp 192.168.1.0 0.0.0.255 host 10.10.6.1 eq www
permit udp 192.168.5.0 0.0.0.255 any eq 53
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit tcp 192.168.1.0 0.0.0.255 any eq 443
permit tcp 192.168.1.0 0.0.0.255 any eq 80

!Applied it to the VLAN 700 interface

ip access-group GUEST_ACCESS in

Thanks for your guidance anyway
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Access-List and Distribute-List 5 51
Find VLAN ID's 6 39
Arista Switches 2 41
High Density Switches 8 22
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now