Cisco SG300-28 ACL query

Hi everyone

 

Hope you can help

 

I have a parent/child domain test environment - I'm trying to block specific ports between the parent/child clients

 

So parent domain clients are on 10.10.10.0/24 child on 10.10.11.0/24

 

My ACL looks like below:

 

ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 445 ace-priority 60
permit ip any any ace-priority 80

 

this is bound to the child domain VLAN

 

interface vlan 20
name CHILD.DOMAIN_TEST
ip address 10.10.11.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP

 

I'm trying to block those ports from being open on the child domain clients but it doesn't seem to be working

 

port 389 is LDAP

ports 139 and 445 are windows file share

 

It's not working

 

Any thoughts?

 

Thanks

 

Jason
Jason MurphyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
You have:


deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 445 ace-priority 60

Wouldn't you also need:

deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.0 445 ace-priority 60

Open in new window


So, just out of curiosity, why are you blocking that stuff?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason MurphyAuthor Commented:
Hi

Thanks

We're trying to replicate an issue with a client setup where clients in their child domain cannot get a license from a license dongle plugged into a server in the parent domain - and we're testing using LDAP and windows file share

I'll try and add the entry you mentioned

Jason
0
Istvan KalmarHead of IT Security Division Commented:
Try it:

deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60

Open in new window

0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Joseph HornseyPresident and JanitorCommented:
Oh... nice catch, Istvan.  I messed up the wildcard masks on my destinations.
0
Jason MurphyAuthor Commented:
Hi

So what you're both saying is I need the same deny rule in both directions?

My VLAN 10 clients are on interface range 1-12
My VLAN 20 clients are on int range 13-24

Which interface range does the ACL need to be applied on?

Thanks
0
Joseph HornseyPresident and JanitorCommented:
Question answered satisfactorily
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VLAN

From novice to tech pro — start learning today.