ACL for LAN

Unanswered Question
Aug 19th, 2009


I want every VLAN in our LAN to be secured by incoming ACL. The PCs needs to access only server network (192.168.124.0/24) and Internet. Everything else should be disabled.

Here is the ACL I came up with so far.


Any comments on it, please ? Is there something I can improve ?


ip access-list extended VLAN_2_LAN

permit ip 192.168.0.0 0.0.255.255 192.168.124.0 0.0.0.255 // Access to server net

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 127.0.0.0 0.255.255.255

deny ip any 169.254.0.0 0.0.255.255

permit udp any eq 1985 host 224.0.0.2 eq 1985 // HSRP

deny ip any 224.0.0.0 30.255.255.255

permit udp any eq 68 host 255.255.255.255 eq 67 // DHCP

deny ip any 255.0.0.0 0.255.255.255

permit ip 192.168.0.0 0.0.255.255 any // Access to Internet

deny ip any any

!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
johnspaulding Wed, 08/19/2009 - 11:55

I would do it a little different and this is just my two cents..Let me know If im off track and I will help you with the ACL's. I would use a VACL since you ONLY want communication between LAN--SERVER and the internet.


Access-list (might need to tweek it)


ip access-list ex VLAN-->SERVER

permit ip any 192.168.124.0 0.0.0.255

permit udp any eq 1985 host 224.0.0.2 eq 1985

permit udp any eq 68 host 255.255.255.255 eq 67

permit tcp any eq www any

permit tcp any any eq www

permit tcp any eq 443 any

permit tcp any any eq 443

permit icmp any any echo (ping)

permit icmp any any echp-reply --optional

permit icmp any any port-unreachables---optional (trace)

permit tcp any any eq telnet - optional

permit (eigrp,ospf)-- If you have routing protocols


I am using the permit any since this is just pertaining to the LAN vlan subnet.


Everything else will get denied with the access-map 20


vlan access-map VLAN_LAN_FILTER 10 (permitting traffic)

match address VLAN-->SERVER

action forward

vlan access-map VLAN_LAN_FILTER 20 (Denying all traffic)

action drop


vlan filter-list VLAN_LAN_FILTER vlan 2 (your LAN vlan number)


Let me know if this helps your case.


tomas.horacek Wed, 08/19/2009 - 12:01

Thanks for your reply John.


I didnt know about the VACL thing, will read more info on this.


Btw. Is it safe to disable all the Broadcast and Multicast, wouldnt it affect our Windoze PC networking or something ?

Anything else besides HSRP needs to be allowed ?


Thank you for your tip.



Peter Paluch Wed, 08/19/2009 - 12:18

Hello Tomas, John,


Hey John, a nice approach!


Tomas, the VACLs are available only on multilayer switches. See this link for a hint to configure it:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swacl.html#wp1116619


Broadcasts should be disabled cautiously. It depends very much on the network applications you are using. I can't give you any general recommendation, unfortunately.


Best regards,

Peter


Peter Paluch Wed, 08/19/2009 - 12:06

Hello Tomas,


This ACL is fine but note that basically, its implicit policy is "deny ip any any". Therefore, you do not need the individual "deny" entries, as the packets which are not permitted explicitely will be so or so dropped at the very end of the ACL.


Your ACL could be therefore simplified to:


ip access-list extended VLAN_2_LAN

permit ip 192.168.0.0 0.0.255.255 192.168.124.0 0.0.0.255 // Access to server net

permit udp any eq 1985 host 224.0.0.2 eq 1985 // HSRP

permit udp any eq 68 host 255.255.255.255 eq 67 // DHCP

permit ip 192.168.0.0 0.0.255.255 any // Access to Internet

deny ip any any


Keeping an ACL short both aids its readability and speeds up its evaluation for each packet. Also, if you are using a multilayer switch, the ACL is compiled and stored in the TCAM where the space is very precious.


Best regards,

Peter


Jon Marshall Wed, 08/19/2009 - 12:12

Peter


I agree that you should keep it simple but your acl won't do what the OP wants.


permit ip 192.168.0.0 0.0.255.255 any // Access to Internet


will allow all 192.168.x.0 vlans to access all other vlans. So you do need a deny in there ie. last 2 lines -


deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any


Jon

Jon Marshall Wed, 08/19/2009 - 12:32

Peter


"You're right, as usual."


Hmmm, you obviously don't read all my posts then :-)


Jon

Peter Paluch Wed, 08/19/2009 - 12:40

Jon,


Well, I haven't ecountered a wrong one yet :) Keep up the great work!


Best regards,

Peter


johnspaulding Wed, 08/19/2009 - 12:13

Yes, paluchpeter is correct.. Keep that ACL as simple as you can. On another note I dont think they ACL is complete yet because it leaves room for the other vlans to communicate to the other. With the VALC I showed you this would not be the case.You don t have to go the VACL path just note that its a possibility. You asked about blocking multicast but it depends on your network layout and requirements (routing protocols,do you run mcast?) things like that. Let me know If I can help you further. thanks

tomas.horacek Wed, 08/19/2009 - 12:28

I do belive the ACL is as simple as possible.

Or am I wrong ?


ip access-list extended VLAN_2_LAN

permit ip 192.168.0.0 0.0.255.255 192.168.124.0 0.0.0.255 // Access to server net

deny ip any 192.168.0.0 0.0.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 127.0.0.0 0.255.255.255

deny ip any 169.254.0.0 0.0.255.255

permit udp any eq 1985 host 224.0.0.2 eq 1985 // HSRP

deny ip any 224.0.0.0 30.255.255.255

permit udp any eq 68 host 255.255.255.255 eq 67 // DHCP

deny ip any 255.0.0.0 0.255.255.255

permit ip 192.168.0.0 0.0.255.255 any // Access to Internet

deny ip any any

!


The first permit will allow unrestricted communication with the server network (where are all resources).

The next set of denies will prevent other communication to our network (192.168/16). And also to other private networks.

Next I permit the HSRP traffic, then I deny all access to Multicast and Test networks.

Then I allow DHCP traffic and I deny all the access to 255/8 network.

Then I permit all traffic from our 192.168/16 network to Internet (minus the traffic denied previously).

At the end I deny everything else whats left. For example traffic with other source then 192.168/16.


We use no dynamic routing protocol in client VLANs. We only route by OSPF in network 192.168.124/24 (the server network). The server net VLAN wont be restricted by this ACL, only client VLANs.

The only Multicast traffic is coming from network 192.168.124/24. So there is no problem.

On the client PCs, there is no reason for them to Multicast.

Jon Marshall Wed, 08/19/2009 - 12:37

Tomas


It really depends on what exactly you are trying to achieve. Personally the acl i would write would be


ip access-list extended VLAN_2_LAN

permit ip 192.168.0.0 0.0.255.255 192.168.124.0 0.0.0.255 // Access to server net

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit udp any eq 1985 host 224.0.0.2 eq 1985 // HSRP

permit udp any eq 68 host 255.255.255.255 eq 67 // DHCP

permit ip 192.168.0.0 0.0.255.255 any // Access to Internet


Only you know your network but i'm not sure why you want to include all the other private addressing ie. 10/8, 172.16/16 etc.


On an internet facing acl then you can indeed include these but isn't this acl purely ofr your internal network ?


I'm assuming there is a firewall/router for the Internet ?


Jon

johnspaulding Wed, 08/19/2009 - 12:38

Well, It is simple but can be cleaned up a little. Like Peter was saying you dont need the deny's for the RFC1918 address.The deny statement at the end is also not needed becuase this is implicit after the access-list. You could log the the "deny ip any any log" incase you need to permit "FUN" traffic that you weren't aware of (it happens, there users :) With the last acl were you are permitting 192.168.0.0 range you need to deny like jon put so your vlans networks cant talk between eachother. So here is the final....I think ;)


ip access-list extended VLAN_2_LAN

permit ip 192.168.0.0 0.0.255.255 192.168.124.0 0.0.0.255 // Access to server net

permit udp any eq 1985 host 224.0.0.2 eq 1985 // HSRP

deny ip any 224.0.0.0 30.255.255.255

permit udp any eq 68 host 255.255.255.255 eq 67 // DHCP

deny ip any 255.0.0.0 0.255.255.255

permit ip 192.168.0.0 0.0.255.255 any // Access to Internet

deny ip any any log --not needed


And instead of that "permit ip 192.168.0.0 0.0.255.255 any" statement you could do something like this so your not allowing everything


permit tcp 192.168.0.0 0.0.0.255 eq www any

permit tcp 192.168.0.0 0.0.0.255 any eq www


You might also want to allow http (443)..


Again, My two cents

Actions

This Discussion