Solved: ACLs for switches

information · ‎07-11-2009

CISCO 3750 12.2(25) SEE2

Cisco 2950 12.1.(22) EA2

We codevelop software with teams from other companies and they come to our site to do this. With these companies we have setup Lan to Lan tunnels. So when they come we allow them to connect to our Guest network. Then they VPN into their companies and connect to a particular host on our end. It does not seem the best way to me for them to loop around like that because of our security restrictions when they are in our site.

I was thinking about letting them connect to our company LAN then configure ACLs in a switch, apply them to specific ports and allow them access only to an specific host on port 80 and 443.

If it makes any difference I will throw these 2 scenarios in:

1- destination host and guest users connected physically to ports in the same switch

2- destination host and guest users connected in different switches uplinked with switches in between . I wonder it if is needed one set of ACLs on both switches or does it matter?

Is this possible, please provide an example of how it would like in the configuration

Thanks for your help

John

Rick Morris · ‎07-12-2009

the 2950 will not allow acl's

The way we do this here is we created a VLAN specific for vendors and contractors. Then we configured certain ports on the switch with this vlan for them to connect to. In the Layer 3 switch we created acl's to not allow access to internal resources and allow all internet traffic. We created PBR's for this and send their traffic through the firewall for inspection.

interface Vlan249

description VLAN249-VENDOR

ip address 10.1.249.1 255.255.255.0

ip policy route-map VLAN249-VENDER_POLICY

!

ip access-list extended VLAN249-VENDOR

remark Vendor Access

deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.1.249.0 0.0.0.255 any

!

route-map VLAN249-VENDOR_POLICY permit 10

match ip address VLAN249-VENDOR

set ip default next-hop 10.254.1.10

View solution in original post

Leo Laohoo · ‎07-11-2009

Hi John,

Firstly, the 2950 is a very simple switch and won't probably support ACLs.

Secondly, I don't know if your company is going to be interested, but have you considered implementing Wireless LAN technology?

Some of the features with Cisco's extensive Wireless suites are:

1. Time "bomb" guest access;

2. Each Wireless Access Point can advertise specific SSID (or VLANs);

3. Plug-n-Play (if you use the Wireless LAN Controllers);

4. And a whole lot more!

Hope this helps.

Rick Morris · ‎07-12-2009

the 2950 will not allow acl's

The way we do this here is we created a VLAN specific for vendors and contractors. Then we configured certain ports on the switch with this vlan for them to connect to. In the Layer 3 switch we created acl's to not allow access to internal resources and allow all internet traffic. We created PBR's for this and send their traffic through the firewall for inspection.

interface Vlan249

description VLAN249-VENDOR

ip address 10.1.249.1 255.255.255.0

ip policy route-map VLAN249-VENDER_POLICY

!

ip access-list extended VLAN249-VENDOR

remark Vendor Access

deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.1.249.0 0.0.0.255 any

!

route-map VLAN249-VENDOR_POLICY permit 10

match ip address VLAN249-VENDOR

set ip default next-hop 10.254.1.10

information · ‎07-12-2009

engagerocks,

Thank you very much for your reply. Now following your example if I want those vendors to access an internal web server: 10.30.111.111 on port 443.

ip access-list extended VLAN249-VENDOR

remark Vendor Access

permit tcp 10.1.249.0 0.0.0.255 host 10.30.111.111 eq 443

deny ip 10.1.249.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 10.1.249.0 0.0.0.255 any

Does the above line I added accomplish it? ALso, is the PBR the route-map statement? is it really needed when the only way to go out to the Internet is thru the firewall?

Thanks for your input

Rick Morris · ‎07-12-2009

yes you are correct.