• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

ProCurve ACL

Hi,

I need to create an ACL and apply this to a VLAN.

I want this VLAN (102) to only be able to access the internet, all other traffic blocked - so will need to talk to a DNS Server and DHCP Server.

Has anyone got an example of this?
0
Ian Taylor
Asked:
Ian Taylor
  • 3
1 Solution
 
ArneLoviusCommented:
if you want traffic on the VLAN to only have access to the Internet, don't use ACLs and an internal DNS server, use a VLAN without any L3 interfaces in combination with DHCP on the firewall utilising external DNS servers.
0
 
PredragNetwork EngineerCommented:
You have excellent and very granular example here. Maybe some new popular services are missing is missing since it is very granular and should be added. :)
ip access-list extended GUEST_access_in
 remark ACL for VLAN GUEST
remark Block traffic to private networks
 deny   ip 172.16.23.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 224.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 240.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 0.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 169.254.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.0.2.0 0.0.0.255
 deny   ip 172.16.23.0 0.0.0.255 127.0.0.0 0.255.255.255
 remark Allowed DHCP
 permit udp any any eq bootps
 remark Allowed traffic
 permit tcp 172.16.23.0 0.0.0.255 any eq www
 permit tcp 172.16.23.0 0.0.0.255 any eq 443
 permit tcp 172.16.23.0 0.0.0.255 any eq ftp-data
 permit tcp 172.16.23.0 0.0.0.255 any eq ftp
 permit tcp 172.16.23.0 0.0.0.255 any eq 22
 permit tcp 172.16.23.0 0.0.0.255 any eq 465
 permit tcp 172.16.23.0 0.0.0.255 any eq 587
 permit tcp 172.16.23.0 0.0.0.255 any eq 993
 permit tcp 172.16.23.0 0.0.0.255 any eq 995
 permit udp 172.16.23.0 0.0.0.255 any eq domain
 permit udp 172.16.23.0 0.0.0.255 any eq ntp
 remark Allowed outside VPN
 remark VPN-> PPTP
 permit tcp 172.16.23.0 0.0.0.255 any eq 1723
 permit gre 172.16.23.0 0.0.0.255 any
 remark VPN-> L2TP - IPSec
 permit udp 172.16.23.0 0.0.0.255 any eq isakmp
 permit udp 172.16.23.0 0.0.0.255 any eq non500-isakmp
 remark VNC
 permit tcp 172.16.23.0 0.0.0.255 any eq 5900
 remark Apple
 permit tcp 172.16.23.0 0.0.0.255 17.0.0.0 0.255.255.255 eq 5223
 permit udp 172.16.23.0 0.0.0.255 17.0.0.0 0.255.255.255 range 16384 16403
 remark Amazon
 permit tcp 172.16.23.0 0.0.0.255 54.240.0.0 0.15.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 46.51.128.0 0.0.63.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 46.137.0.0 0.0.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 23.20.0.0 0.3.255.255 eq 4244
 permit tcp 172.16.23.0 0.0.0.255 23.20.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 50.16.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 75.101.128.0 0.0.127.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 107.20.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 174.129.0.0 0.0.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 176.34.0.0 0.0.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 184.72.0.0 0.1.255.255 eq 4244
 remark Facebook
 permit tcp 172.16.23.0 0.0.0.255 object-group FACEBOOK gt 1024 log
 remark Android Market
 permit tcp 172.16.23.0 0.0.0.255 any eq 5228
 permit udp 172.16.23.0 0.0.0.255 any eq 5228
 remark XMPP
 permit tcp 172.16.23.0 0.0.0.255 any eq 5222
 remark Allowed traffic for Web Services Dynamic Discovery
 permit udp 172.16.23.0 0.0.0.255 host 239.255.255.250 eq 3702
 remark UPnP
 permit udp 172.16.23.0 0.0.0.255 host 239.255.255.250 eq 1900
 remark Viber
 permit tcp 172.16.23.0 0.0.0.255 any eq 4244
 permit tcp 172.16.23.0 0.0.0.255 any eq 5242
 permit udp 172.16.23.0 0.0.0.255 any eq 5243
 permit udp 172.16.23.0 0.0.0.255 any eq 7985
 remark ICMP traffic
 permit icmp 172.16.23.0 0.0.0.255 any echo
 permit icmp 172.16.23.0 0.0.0.255 any echo-reply
 remark Blocked traffic
 deny   ip any any log
It Cisco, but it i very similar (if not the same) for HP. This is example for VLAN with ip address range 172.16.23.0/24.

But I guess for most environments
 
remark Block traffic to private networks
 deny   ip 172.16.23.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 224.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 240.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 0.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 169.254.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.0.2.0 0.0.0.255
 deny   ip 172.16.23.0 0.0.0.255 127.0.0.0 0.255.255.255
 permit ip any any

would be enough.
0
 
Ian TaylorIT Infrastructure Architect .:|:.:|:.Author Commented:
Thanks, does this look right:

The subnet is 10.34.102.0/24

ip access-list extended "music dept in"
     10 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.0.0.255
     20 permit udp 10.34.102.0 0.0.1.255 111.30.178.11 0.0.0.0 eq 53
     30 permit udp 10.34.102.0 0.0.1.255 111.30.178.12 0.0.0.0 eq 53
     40 permit tcp 10.34.102.0 0.0.1.255 0.0.0.0 255.255.255.255 eq 80
     50 permit tcp 10.34.102.0 0.0.1.255 0.0.0.0 255.255.255.255 eq 443
     60 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
0
 
PredragNetwork EngineerCommented:
To me looks too restrictive. The first that pop to my mind  for example is that DHCP traffic will be dropped and clients will not be able to get IP address dynamically and as result DNSs that you configured in ACL will not be known (so you need to manually configure IP addresses in that VLAN). There could be need for ftp or something else, but I don't know what are requirements for that specific VLAN.

You have bad wildcard mask for 10.34.102.0/24:
10.34.102.0 0.0.1.255 is 10.34.102.0/23
10.34.102.0/24 is not 10.34.102.0 0.0.0.255

10 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.0.0.255
This will deny traffic from any ip address only to network 10.0.0.0/24
But the way you wrote the rest of the ACL you can even remove statement 10 and result will still be the same. :)

And typically 0.0.0.0 255.255.255.255 can be replaced with keyword any (not sure for all models)
40 permit tcp 10.34.102.0 0.0.0.255 any eq 80
60 deny ip any any

And you need to apply it to interface in right direction. :)
0
 
PredragNetwork EngineerCommented:
Also maybe you could use CIDR notation /24 instead of wildcard mask in ACL according to manual Page 10-74.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now