Access Control List

Unanswered Question
Jun 20th, 2007

I have multiple vlans which plug into a 6509 with a MSFC2A. The vlans are 10.27.1.0, 10.35.1.0, 10.36.1.0, 10.36.2.0 all with 24 bit masks. I need to allow the 10.35.1.0 vlan access to the internet and nothing else. The internet gateway is 10.27.1.4, however Ihave other servers on the 10.27.1.x subnet that I dont want to be seen. I need some help writing the ACL.

Thanks in advance for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 06/20/2007 - 07:19

access-list 100 deny ip any 10.27.1.0 0.0.0.255

access-list 100 deny ip any 10.36.1.0 0.0.0.255

access-list 100 deny ip any 10.36.2.0 0.0.0.255

access-list 100 permit ip any any

interface vlan 35

ip addr 10.35.1.x

ip access-group 100 in

Wilson Samuel Wed, 06/20/2007 - 09:41

Hi,

Correct me if I got this wrong:

1. You have 10.27.1.X/24 , 10.36.1.x/24, 10.36.1.x/24 and 10.35.1.x/24 all in the same switch with MSFC

2. The 10.27.1.x/24 subnet is connected to router, hence all the traffic going to the Internet gets routed from their respective VLANs to 10.27.1.1 IP and goes to Internet

3. You want to allow only 10.35.1.x/24 to be allowed to access the Internet

4. You have the SErvers in 10.27.1.x/24 that can access the Internet

5. And in turn you dont mind / you required from 10.36.1.x/24 10.36.2.x/24 and 10.27.1.x/24 to access everything inside the network.

If the above statements are true, then in my humble opinion you should place the ACL on 10.27.1.x24 subnet as follows:

access-list 120 permit ip 10.35.1.0 0.0.0.255 any

access-list 120 permit ip 10.36.0.0 0.0.255.255 10.27.1.0 0.0.0.255

access-list 120 ip deny any any

interface vlan 35

ip addr 10.35.1.x

ip access-group 120 in

This is because in my opinion putting IP Any Any might be quite riskful at times.

I hope that helps, please rate if it does.

Regards,

Wilson Samuel

acomiskey Wed, 06/20/2007 - 09:50

Wilson that is not correct. His whole point is to restrict access from 10.35.1.0 to the other subnets. Your first acl statement allows the entire subnet to go everywhere.

access-list 120 permit ip 10.35.1.0 0.0.0.255 any

Also, in the next statement, 10.36.0.0 would never be a source address when the acl is applied in vlan 35.

access-list 120 permit ip 10.36.0.0 0.0.255.255 10.27.1.0 0.0.0.255

This one isnt doing much as you've allowed everything in the first acl.

access-list 120 ip deny any any

"This is because in my opinion putting IP Any Any might be quite riskful at times."

-There's no problem putting any any at the end of the acl as you have already denied everything you want to deny.

"3. You want to allow only 10.35.1.x/24 to be allowed to access the Internet"

-No, he wants to allow 10.35.1.0/24 to only be able to go to the internet.

Wilson Samuel Wed, 06/20/2007 - 09:59

Hi,

Thanks for the info, actually I misinterpreted the requirement, I thought ONLY 10.35.1.x/24 should be allowed to access Internet as you also have pointed out! My apologies!

However regarding the second statement, I just wonder, if the hosts in the 10.36.x.x are trying to get to the 10.27.1.x why it wont be source address?

Thanks in advance.

Regards

acomiskey Wed, 06/20/2007 - 10:06

No problems, I guess it could have been interpreted that way.

"However regarding the second statement, I just wonder, if the hosts in the 10.36.x.x are trying to get to the 10.27.1.x why it wont be source address?"

-Because the access-list is applied in vlan 35, which really means applied into an interface which is part of vlan 35. Therefore the only source address into a port belonging to vlan 35 would be 10.35.x.x.

interface vlan 35

ip addr 10.35.1.x

ip access-group 120 in

So, it of course could be a source but it would not apply in the acl when applied as it is.

Wilson Samuel Wed, 06/20/2007 - 10:13

Exactly what you are saying is correct, however I'm applying 10.36.x.x onto VLAN interface which is a member of 10.35.1.x hence they should be filtered.

Shouldn't they?

Regards,

Wilson Samuel

acomiskey Wed, 06/20/2007 - 10:20

This is what you have above...

access-list 120 permit ip 10.35.1.0 0.0.0.255 any

access-list 120 permit ip 10.36.0.0 0.0.255.255 10.27.1.0 0.0.0.255

access-list 120 ip deny any any

interface vlan 35

ip addr 10.35.1.x

ip access-group 120 in

What I am saying is, the second statement makes no sense (access-list 120 permit ip 10.36.0.0 0.0.255.255 10.27.1.0 0.0.0.255) because 10.36.0.0 would never match that statement as being a source address because of how the acl is applied, into vlan 35.

I'm not sure I understand, we probably aren't understanding eachother. 10.36.x.x is not part of 10.35.1.x/24.

alejandro-gomez Fri, 07/27/2007 - 16:25

if you want 10.35.1.0/24 to have acccess towards Internet ONLY ...maybe it's gona be easier restrict internal subnetworks or eliminate VLAN routing and use static routes insted

sorry if i said something stupid, i'm new on this.

access-list 130 deny ip 10.35.1.0 0.0.0.255 10.36.1.0 0.0.0.255

access-list 130 deny ip 10.35.1.0 0.0.0.255 10.36.2.0 0.0.0.255

access-list 130 permit ip 10.35.1.0 0.0.0.255 host 10.27.1.4

access-list 130 deny ip 10.35.1.0 0.0.0.255 10.27.1.0 0.0.0.255

access-list 130 permit ip any any

regards !

Actions

This Discussion