Cisco 3560 switch configuration with VLAN for wifi
I have a Cisco 3560 48 port switch with 1 port on it's own VLAN (Vlan3) that is supposed to be configured for a wifi AP and set to allow only certain types of traffic for guests and intraoffice sales people, such as port 80/443 for web browsing, port 1494 for Lotus Notes replication and port 1352 for Citrix. I have it partially configured where it will assign via DHCP an IP, NM, GW and DNS, but with a computer connected to that port, I still can't browse to the Internet. I can connect to our internal Citrix server as I expect, so it is partially working. I was expecting in the "access-list" section to see something that points web traffic to our network gateway (which is this switch I'm working on - 10.10.1.10) or firewall (10.10.1.2).
I am looking for assistance on correcting the configuration so that web browsing is allowed yet still isolates Vlan3 traffic frm everything else. Instead of including the complete config, I included what I think are the relevant lines from the configuration. Let me know if something else form the config would be needed.
Thanks!
I am looking for assistance on correcting the configuration so that web browsing is allowed yet still isolates Vlan3 traffic frm everything else. Instead of including the complete config, I included what I think are the relevant lines from the configuration. Let me know if something else form the config would be needed.
Thanks!
version 12.2
-- SKIPPED LINES HERE --
ip subnet-zero
ip routing
ip domain-name ahi.int
no ip dhcp use vrf connected
ip dhcp excluded-address 10.11.0.1 10.11.70.0
ip dhcp excluded-address 10.11.71.1 10.11.255.255
ip dhcp excluded-address 10.12.0.1 10.12.50.0
ip dhcp excluded-address 10.12.51.1 10.12.255.255
!
ip dhcp pool VOICE
network 10.11.0.0 255.255.0.0
option 150 ip 10.11.10.50
default-router 10.11.1.10
!
ip dhcp pool Vlan3
network 10.12.0.0 255.255.0.0
default-router 10.12.1.10
dns-server 10.10.10.14 10.10.10.15
!
-- SKIPPED LINES HERE --
!
vlan internal allocation policy ascending
!
-- SKIPPED LINES HERE --
!
interface FastEthernet0/48
description Connection to Wireless Uplink
switchport access vlan 3
switchport mode access
mls qos trust device cisco-phone
spanning-tree portfast
!
-- SKIPPED LINES HERE --
!
interface Vlan1
description DATA
ip address 10.10.1.10 255.255.0.0
no ip proxy-arp
ip pim sparse-dense-mode
!
interface Vlan2
description VOICE
ip address 10.11.1.10 255.255.0.0
no ip proxy-arp
ip pim sparse-dense-mode
!
interface Vlan3
description WIRELESS
ip address 10.12.1.10 255.255.0.0
no ip proxy-arp
ip pim sparse-dense-mode
!
!
router eigrp 100
redistribute static
network 10.10.0.0 0.0.255.255
network 10.11.0.0 0.0.255.255
network 10.12.0.0 0.0.255.255
!
ip classless
ip http server
ip http secure-server
!
!
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq www (Note: mail server)
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq 443 (Note: mail server)
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.26 eq 1494 (Note: Citrix server)
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.7 eq 1352 (Note: Domino server)
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq www (Note: web server)
access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq 443 (Note: web server)
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.21.0.0 0.0.255.255
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.30.0.0 0.0.255.255
access-list 101 deny tcp 10.12.0.0 0.0.255.255 10.31.0.0 0.0.255.255
Is this a layer 3 switch or is there a router that is routing between vlans? Either way, have you configured an interface for vlan 3 on whatever device is routing your vlan traffic? Can you ping the default gateway when you have a laptop connected to this port?
ASKER
yes it is a layer 3 switch. All the vlans are on this switch - no other devices. If I understand your question about the interface, I think the portion of the config I included shows vlan3 has an interface. I can ping the gateway, which I configured to be the switch itself (should the switch be the gateway?) I'm thinking either I need to set my gateway to my firewall or I need something like a new access list entry. I'm not sure of the specifics though.
In the config you have posted, the acl isn't applied to interface vlan3 so I assume you've removed the acl for testing purposes. Is there a gateway of last resort set on the 3560 that forwards all unknown routes to your internet router or firewall?
ASKER
Regarding the acl not being applied to the interface vlan3, do you mean the config needs a "ip access-group {number|name} {in|out}" command? If I understand that correctly, would that be on "interface Vlan3" a command like the following:
ip access-group 101 out
I haven't removed anything for testing, so anything required needs to be added.
And what is a gateway of last resort and how is that supposed to be configured?
Thanks!
ip access-group 101 out
I haven't removed anything for testing, so anything required needs to be added.
And what is a gateway of last resort and how is that supposed to be configured?
Thanks!
The gateway of last resort is Cisco terminology for a default gateway of a router or switch. On routers it is usually set by
ip route 0.0.0.0 0.0.0.0 x.x.x.x where x.x.x.x is the ip address where you want all traffic to unknown subnets sent.
On switches it is sometimes set like above or sometimes by depending on the IOS:
ip default-gateway x.x.x.x
Yes, you are correct about how to apply the acl to an interface. In your case I think you'd want to apply it as an "in".
ip access-group 101 in
ip route 0.0.0.0 0.0.0.0 x.x.x.x where x.x.x.x is the ip address where you want all traffic to unknown subnets sent.
On switches it is sometimes set like above or sometimes by depending on the IOS:
ip default-gateway x.x.x.x
Yes, you are correct about how to apply the acl to an interface. In your case I think you'd want to apply it as an "in".
ip access-group 101 in
ASKER
OK, on the switch in question, I don't have any "ip route..." statements, nor any "ip default-gateway" statements. A "show ip route" on the switch gives me:
--------------------------
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
D EX 192.168.40.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
D EX 192.168.4.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
10.0.0.0/16 is subnetted, 7 subnets
C 10.10.0.0 is directly connected, Vlan1
C 10.11.0.0 is directly connected, Vlan2
C 10.12.0.0 is directly connected, Vlan3
D 10.30.0.0 [90/2172672] via 10.10.1.1, 19:32:13, Vlan1
D 10.31.0.0 [90/2172928] via 10.10.1.1, 19:32:13, Vlan1
D 10.20.0.0 [90/2172672] via 10.10.1.1, 15:44:28, Vlan1
D 10.21.0.0 [90/2172928] via 10.10.1.1, 15:44:28, Vlan1
192.168.1.0/30 is subnetted, 1 subnets
D 192.168.1.0 [90/2170112] via 10.10.1.1, 15:44:29, Vlan1
192.168.2.0/30 is subnetted, 1 subnets
D 192.168.2.0 [90/2170112] via 10.10.1.1, 19:32:17, Vlan1
D*EX 0.0.0.0/0 [170/28416] via 10.10.1.1, 19:32:17, Vlan1
--------------------------
The gateway of last resort on this 3560 switch is shown as 10.10.1.10, and that is my main voice router, a 2851. When I run a "show ip route" on that device, it shows the following:
--------------------------
Gateway of last resort is 10.10.1.2 to network 0.0.0.0
D EX 192.168.40.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D EX 192.168.4.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C 10.10.0.0/16 is directly connected, GigabitEthernet0/0
D 10.11.0.0/16 [90/28416] via 10.10.1.10, 5w2d, GigabitEthernet0/0
D 10.12.0.0/16 [90/28416] via 10.10.1.10, 19:31:17, GigabitEthernet0/0
D 10.30.0.0/16 [90/2172416] via 192.168.2.2, 2d12h, Serial0/1/0
D 10.31.0.0/16 [90/2172672] via 192.168.2.2, 2d12h, Serial0/1/0
C 10.16.1.1/32 is directly connected, Loopback0
D 10.20.0.0/16 [90/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D 10.21.0.0/16 [90/2172672] via 192.168.1.2, 15:43:49, Serial0/0/0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/0/0
192.168.2.0/30 is subnetted, 1 subnets
C 192.168.2.0 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 10.10.1.2
--------------------------
So this router has a gateway of last resort to be the firewall, 10.10.1.2, which is "ip route 0.0.0.0 0.0.0.0 10.10.1.2" as you described, and it happens to be the only ip route statement.
Question(s) #1: So far, does this all make sense the way it is configured? As I understand it, the expectation is that internet-bound traffic from my test computer connected to port 48 on the switch will be filtered by the acl (once assigned to Vlan3), and anything (*) that doesn't match the acl will be forwarded to the "gateway of last resort" (router 10.10.1.10), and that router seeing internet-bound traffic will forward it to it's "gateway of last resort" (firewall at 10.10.1.2), which should pass it out. Is that correct? So in this config, without the acl assigned to Vlan3 on the switch, do you think that is what is causing the problem?
(*)Question #2: Regarding my assumed "anything" in the Q above, I see specific protocols listed in the acl with specific IP's. So how would, say, port 80 traffic, be allowed through to the "gateway of last resort"? I wouldn't think it would be much of an acl if it allowed anything other than what was defined to just pass on through. What am I missing?
Question(s) #3: Why would an "in" policy apply and not an out? I was actually thinking there should be a in-out to apply in both directions, or do I need two applications of the policy, one for in and one for out?
I'll be at the office in a while and I'll try the application of the acl as suggested.
--------------------------
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
D EX 192.168.40.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
D EX 192.168.4.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
10.0.0.0/16 is subnetted, 7 subnets
C 10.10.0.0 is directly connected, Vlan1
C 10.11.0.0 is directly connected, Vlan2
C 10.12.0.0 is directly connected, Vlan3
D 10.30.0.0 [90/2172672] via 10.10.1.1, 19:32:13, Vlan1
D 10.31.0.0 [90/2172928] via 10.10.1.1, 19:32:13, Vlan1
D 10.20.0.0 [90/2172672] via 10.10.1.1, 15:44:28, Vlan1
D 10.21.0.0 [90/2172928] via 10.10.1.1, 15:44:28, Vlan1
192.168.1.0/30 is subnetted, 1 subnets
D 192.168.1.0 [90/2170112] via 10.10.1.1, 15:44:29, Vlan1
192.168.2.0/30 is subnetted, 1 subnets
D 192.168.2.0 [90/2170112] via 10.10.1.1, 19:32:17, Vlan1
D*EX 0.0.0.0/0 [170/28416] via 10.10.1.1, 19:32:17, Vlan1
--------------------------
The gateway of last resort on this 3560 switch is shown as 10.10.1.10, and that is my main voice router, a 2851. When I run a "show ip route" on that device, it shows the following:
--------------------------
Gateway of last resort is 10.10.1.2 to network 0.0.0.0
D EX 192.168.40.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D EX 192.168.4.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C 10.10.0.0/16 is directly connected, GigabitEthernet0/0
D 10.11.0.0/16 [90/28416] via 10.10.1.10, 5w2d, GigabitEthernet0/0
D 10.12.0.0/16 [90/28416] via 10.10.1.10, 19:31:17, GigabitEthernet0/0
D 10.30.0.0/16 [90/2172416] via 192.168.2.2, 2d12h, Serial0/1/0
D 10.31.0.0/16 [90/2172672] via 192.168.2.2, 2d12h, Serial0/1/0
C 10.16.1.1/32 is directly connected, Loopback0
D 10.20.0.0/16 [90/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D 10.21.0.0/16 [90/2172672] via 192.168.1.2, 15:43:49, Serial0/0/0
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial0/0/0
192.168.2.0/30 is subnetted, 1 subnets
C 192.168.2.0 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 10.10.1.2
--------------------------
So this router has a gateway of last resort to be the firewall, 10.10.1.2, which is "ip route 0.0.0.0 0.0.0.0 10.10.1.2" as you described, and it happens to be the only ip route statement.
Question(s) #1: So far, does this all make sense the way it is configured? As I understand it, the expectation is that internet-bound traffic from my test computer connected to port 48 on the switch will be filtered by the acl (once assigned to Vlan3), and anything (*) that doesn't match the acl will be forwarded to the "gateway of last resort" (router 10.10.1.10), and that router seeing internet-bound traffic will forward it to it's "gateway of last resort" (firewall at 10.10.1.2), which should pass it out. Is that correct? So in this config, without the acl assigned to Vlan3 on the switch, do you think that is what is causing the problem?
(*)Question #2: Regarding my assumed "anything" in the Q above, I see specific protocols listed in the acl with specific IP's. So how would, say, port 80 traffic, be allowed through to the "gateway of last resort"? I wouldn't think it would be much of an acl if it allowed anything other than what was defined to just pass on through. What am I missing?
Question(s) #3: Why would an "in" policy apply and not an out? I was actually thinking there should be a in-out to apply in both directions, or do I need two applications of the policy, one for in and one for out?
I'll be at the office in a while and I'll try the application of the acl as suggested.
Even though it doesn't appear in the acl, all acl's have a "deny any any" statement at the end by default. This means that anything that doesn't get matched in the preceding lines will be denied. The acl doesn't do routing; it just decides whether a packet meets a list of criteria or not. In this case, it is a decision about whether to allow the packet to pass through the router or not. In other words, an acl doesn't tell the router where to route a packet, just whether or not it should get routed at all. If a packet is allowed through by your acl, the routing table will then make a decision about where it goes from there. In any case, since your acl isn't applied to an interface yet, this can't be causing a problem.
The "in" & "out" determines if the acl is applied to packets entering an interface or leaving it. In this situation, the traffic you want to filter is entering the vlan3 interface so you must use an "in". You would apply an "out" to an interface to filter traffic as it is leaving the router going out toward the switch or whatever device the router is connected to. In other words, an "out" is used when packets have already passed through the router having entered from another interface and are about to exit the router. An "in" decides if the packets are allowed to enter the router at all.
=== IMPORTANT===
Does your firewall exchange eigrp information with your routers? If not, you will need a static route on the firewall to tell the firewall how to route packets destined for ip addresses on vlan3. It's entirely possible that your vlan3 traffic is making it to the firewall and going out to the Internet but the firewall doesn't know where to send the returning traffic. You should check this before doing anything else!
The "in" & "out" determines if the acl is applied to packets entering an interface or leaving it. In this situation, the traffic you want to filter is entering the vlan3 interface so you must use an "in". You would apply an "out" to an interface to filter traffic as it is leaving the router going out toward the switch or whatever device the router is connected to. In other words, an "out" is used when packets have already passed through the router having entered from another interface and are about to exit the router. An "in" decides if the packets are allowed to enter the router at all.
=== IMPORTANT===
Does your firewall exchange eigrp information with your routers? If not, you will need a static route on the firewall to tell the firewall how to route packets destined for ip addresses on vlan3. It's entirely possible that your vlan3 traffic is making it to the firewall and going out to the Internet but the firewall doesn't know where to send the returning traffic. You should check this before doing anything else!
ASKER
That was very helpful. The route on the firewall may be a significant part of the resolution. I'll try that.
Regarding the acl and Vlan3, I'm thinking two things: 1) I need another statement there, and 2) if I understand correctly, I think you're thinking I want to protect and limit access to devices on Vlan3 from everything beyond that point, where what I want to do is only allow devices on Vlan3 (anything plugged into port 48) to be able to get very restricted capabilities *out* of Vlan3, pass across our network to the firewall (for internet traffic), and a couple specific internal servers (i.e. Citrix ports and Lotus Notes Replication ports). So in that case, might an "out" be the right config?
It's intended to be poor man's proxy providing open wifi for customers and suppliers when they visit so they can get online only and not have access to our internal network, and also for the infrequent internal user roaming on a laptop that wants to use Citrix (usually me). I previously had the wifi router outside our network and the Cisco partner that set this up said this would be better: "put it on a VLAN and it can be managed it better." The job was only partially finished and I'm still trying to get it working.
So I'm thinking that if a "deny any any" is assumed to be at the end of the acl list, I need at least one more entry for general Internet traffic that allows port 80 and port 443 out to our firewall (10.10.1.2), correct? Would I need to add:
access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq www
access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq 443
Maybe this next question should come after I test the change to the firewall, but what about DNS? If the policy does end up needing to be "out", do I need to allow port 53/tcp to pass through or is that automatically allowed?
By the way, kf4zmt, thank you very much for your help on this.
Regarding the acl and Vlan3, I'm thinking two things: 1) I need another statement there, and 2) if I understand correctly, I think you're thinking I want to protect and limit access to devices on Vlan3 from everything beyond that point, where what I want to do is only allow devices on Vlan3 (anything plugged into port 48) to be able to get very restricted capabilities *out* of Vlan3, pass across our network to the firewall (for internet traffic), and a couple specific internal servers (i.e. Citrix ports and Lotus Notes Replication ports). So in that case, might an "out" be the right config?
It's intended to be poor man's proxy providing open wifi for customers and suppliers when they visit so they can get online only and not have access to our internal network, and also for the infrequent internal user roaming on a laptop that wants to use Citrix (usually me). I previously had the wifi router outside our network and the Cisco partner that set this up said this would be better: "put it on a VLAN and it can be managed it better." The job was only partially finished and I'm still trying to get it working.
So I'm thinking that if a "deny any any" is assumed to be at the end of the acl list, I need at least one more entry for general Internet traffic that allows port 80 and port 443 out to our firewall (10.10.1.2), correct? Would I need to add:
access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq www
access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq 443
Maybe this next question should come after I test the change to the firewall, but what about DNS? If the policy does end up needing to be "out", do I need to allow port 53/tcp to pass through or is that automatically allowed?
By the way, kf4zmt, thank you very much for your help on this.
I think I correctly understood you. You want to use an "in" so that traffic from the ip address range assigned to vlan3 will be restricted when it enters (goes IN to) interface vlan3. Think of interface vlan3 as an international border crossing. The customs agents or border patrol examines all the cars at the border as they enter the country. Same with the router. Interface vlan3 is the check point. Nothing will get IN to (or beyond) the router from the ip range assigned to vlan3 (your wireless range) unless the acl allows it. By doing this, you control what network resources the wireless clients can gain access to beyond their own subnet.
You are exactly right about needing to add the additional permit statements for ports 80 & 443. You'll also need to allow port 53 (dns) to your dns servers.
Hope this helps.
You are exactly right about needing to add the additional permit statements for ports 80 & 443. You'll also need to allow port 53 (dns) to your dns servers.
Hope this helps.
ASKER
OK, I see your point about in vs. out. I was thinking of the Vlan being the devices I plug into port 48, and "in" pointed from the switch to the device(s). So "in" actually points from the device(s) connected to ==> the physical port "in"to the switch. I should think of the vlan being inside the switch, not the devices themselves. Got it! I'll be able to test shortly and respond with results.
ASKER
I'm very close on this. I've applied your suggestions and everything works except that when I have the acl enabled, I can't browse out to the web. I added icmp so I could ping and that helps to verify that the problem is just web browsing. So I went back to basics and tried to create just enough of an acl to allow web browsing to the internet and I'm still not getting something right. I've tried various combinations, but where I am right now is a problem with the acl. Can you look at it and tell me what I might be missing or have incorrect? I'm just trying to get a basic setup that allows brosing to the Internet.
access-list 102 permit icmp 10.12.0.0 0.0.255.255 any (for ping test)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.1.1 eq www (host is the main voice router; I tried the firewall 10.10.1.2 as the host as well and that didn't work either)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)
===(other stuff I tried)===
access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq 443
Any suggestions?
access-list 102 permit icmp 10.12.0.0 0.0.255.255 any (for ping test)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.1.1 eq www (host is the main voice router; I tried the firewall 10.10.1.2 as the host as well and that didn't work either)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)
===(other stuff I tried)===
access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq 443
Any suggestions?
So, I assume there was a static route needed on the firewall?
DNS queries use udp, not tcp. Try this and see what happens:
access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)
DNS queries use udp, not tcp. Try this and see what happens:
access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)
P.S.
DNS servers use tcp on port 53 to exchange zone files between each other, but dns clients use udp port 53.
DNS servers use tcp on port 53 to exchange zone files between each other, but dns clients use udp port 53.
ASKER
Yes, there was a static route needed on the firewall. That helped immensely; I verified this worked by disabling the acl on the interface and was able to successfully access the Internet. So now my issue is down to the point that the acl is the problem and I've been trying different combinations of acl configs over the weekend. I've found that I have to be less restrictive to allow access for the devices connected to Vlan3. I found that the following works, but I'm concerned it might be too open security-wise:
===Current Config===
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
The following does not work:
==Non-Working Config==
access-list 102 permit udp any host 10.10.10.14 eq domain
access-list 102 permit tcp any host 10.10.10.14 eq domain
access-list 102 permit udp any host 10.10.10.15 eq domain
access-list 102 permit tcp any host 10.10.10.15 eq domain
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any host 10.10.10.14 eq bootps
access-list 102 permit udp any host 10.10.10.14 eq bootpc
access-list 102 permit udp any host 10.10.10.15 eq bootps
access-list 102 permit udp any host 10.10.10.15 eq bootpc
And any variation where I specify any IP like "10.12.0.0 0.0.255.255" in place of the first "any" in the non-working config lines does not work either. I expect the udp lines don't need the explicit IP set because intially, the device has no IP and is trying to communicate over UDP with the DHCP server to get an IP. But I haven't really been confident with the combinations I've found that worked as far as balancing between working (important) and security (also important) because they are more like the current config above.
Do I leave it as I have it in the current config, or is that too wide open?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did the trick. After a lot of trial and error, I also figured out that the order in which I place statements (which I think you implied by your placement of the new line) matters. And also it matters whether I'm adding a line or trying to delete an existing line; under certain circumstances (maybe all the time), I can't delete one line without all acl lines for the same acl # being affected and usually being deleted. So I've just started using a text file with a line that first deletes the last acl (which causes all of that numbered acl to be deleted) and then all of the new acl commands the way I want it. This has helped.
Anyway, the final resolution I have put together with your immensely appreciated assitance is:
1. Added a static route to my firewall that directed 10.12.0.0 traffic to this switch being configured.
2. Modified the config of the switch:
A: Proper DHCP assignment:
ip dhcp pool Vlan3
network 10.12.0.0 255.255.0.0
default-router 10.12.1.10
dns-server 10.10.10.14 10.10.10.15
B: Proper Vlan3 interface config to include the assignment of the acl:
interface Vlan3
description WIRELESS
ip address 10.12.1.10 255.255.0.0
ip access-group 102 in
no ip proxy-arp
ip pim sparse-dense-mode
C: Modified acl as shown in code below.
It works perfectly!
The only thing that puzzles me still is that I can't seem to explicitly set the DHCP host to the router, even though it is the DHCP server for Vlan3. It does show as the DHCP server when I allow "any any" in the DHCP section, but not when I set those lines to "any host 10.12.1.10". Likewise, the same occurs for the ICMP section, I can't limit it to just that router, it has to be "any any". That's fine, those are things I can live with.
Thank you very much for your assistance kf4zmt!
Anyway, the final resolution I have put together with your immensely appreciated assitance is:
1. Added a static route to my firewall that directed 10.12.0.0 traffic to this switch being configured.
2. Modified the config of the switch:
A: Proper DHCP assignment:
ip dhcp pool Vlan3
network 10.12.0.0 255.255.0.0
default-router 10.12.1.10
dns-server 10.10.10.14 10.10.10.15
B: Proper Vlan3 interface config to include the assignment of the acl:
interface Vlan3
description WIRELESS
ip address 10.12.1.10 255.255.0.0
ip access-group 102 in
no ip proxy-arp
ip pim sparse-dense-mode
C: Modified acl as shown in code below.
It works perfectly!
The only thing that puzzles me still is that I can't seem to explicitly set the DHCP host to the router, even though it is the DHCP server for Vlan3. It does show as the DHCP server when I allow "any any" in the DHCP section, but not when I set those lines to "any host 10.12.1.10". Likewise, the same occurs for the ICMP section, I can't limit it to just that router, it has to be "any any". That's fine, those are things I can live with.
Thank you very much for your assistance kf4zmt!
access-list 102 remark ================DHCP================
access-list 102 remark - Allow DHCP (server) communications
access-list 102 permit udp any any eq bootps
access-list 102 remark - Allow DHCP (Client) communications
access-list 102 permit udp any any eq bootpc
access-list 102 remark ================ICMP================
access-list 102 remark - Allow ICMP for troubleshooting
access-list 102 permit icmp any any
access-list 102 remark ================DNS================
access-list 102 remark - Allow UDP to DNS server 1 - Required for client comm
access-list 102 permit udp any host 10.10.10.14 eq domain
access-list 102 remark - Allow UDP to DNS server 2 - Required for client comm
access-list 102 permit udp any host 10.10.10.15 eq domain
access-list 102 remark - Allow TCP to DNS server 1
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain
access-list 102 remark - Allow TCP to DNS server 2
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain
access-list 102 remark ================LOCAL Web/SSL================
access-list 102 remark - Allow Web access to mail server
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq www
access-list 102 remark - Allow SSL access to mail server
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq 443
access-list 102 remark - Allow Web access to web server
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq www
access-list 102 remark - Allow SSL access to web server
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq 443
access-list 102 remark ================BLOCK Local network================
access-list 102 remark - BLOCK any other traffic to local network
access-list 102 deny ip any 10.10.0.0 0.0.255.255
access-list 102 remark ================Public Web/SSL================
access-list 102 remark - Permit web traffic to Internet
access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq www
access-list 102 remark - Permit SSL traffic to Internet
access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq 443
If I understand what you are saying about the dhcp server, you can't specify it in an acl because the dhcp requests are sent to the broadcast address, not the server address. An acl wouldn't match because the server is one ip and the broadcast address is another.
Anyway, glad you got it working!
Anyway, glad you got it working!
ASKER
Thank you for your prompt and very effective assistance! If I could give you more points, I would. It turned out to be more difficult than I expected.