Access Lists - Configuration Question

Answered Question
Sep 3rd, 2009

Hello,

Can you please help me with the following?

I currently have this scenario; I have two VLANs with two network ranges (192.168.2.0 and 192.168.200.0):

interface Vlan2

ip address 192.168.2.3 255.255.255.0

ip access-group Sub2 in

interface Vlan200

ip address 192.168.200.3 255.255.255.0

ip access-group Sub200 in

As you can see, I have two access lists defined, I will list below an example of how i'm configuring the access lists to allow communication between two hosts from the two VLANs:

On Sub2: permit ip host 192.168.2.9 host 192.168.200.124

On Sub200: permit ip host 192.168.200.124 host 192.168.2.9

So each time I want to allow communication between two hosts I need to add an entry for each of the two access lists as shown above. Each access list in applied in the IN direction to its respective subnet.

Now the problem is as follows:

I need to add a third VLAN3 and a third subnet. My plan is to do the following, please correct me if I'm wrong:

The new network range will be 192.168.3.0/24 and the new VLAN will be called Vlan3. I will create a new access list called Sub3 and apply it in the IN direction on Vlan3.

Then if I want to allow communication between a host on Vlan2 and a host on Vlan3:

I will add to Sub3 for example:

permit ip host 192.168.3.55 host 192.168.2.124

And I will add to Sub2:

permit ip host 192.168.2.124 host 192.168.3.55

I will have to do the same if I need to allow communication between hosts on Vlan200 and Vlan3.

Can you please confirm that this is the right thing to do and if it will do the job?

Thank you.

Raymond

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 2 months ago

Raymond

"Do you believe that this can be done in an "easier" way?"

Not really no. As Peter says you could use reflexive acl's or even CBAC which is an IOS firewall (altho it may not be supported on your device) which would allow you to maintain just one acl but even then you are still having to do specific src/dst entries.#

Edit - if you do find that this becomes unmanagebale because of the number of entries then you may want to question whether you have right devices on the right vlans ie. would moving certain devices into one of the other vlans negate the need for so many acl entries.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Peter Paluch Thu, 09/03/2009 - 03:07

Hi Raymond,

It will do the job, sure. It's just tedious to configure. You are basically allowing the communication based on communicating pairs of addresses. That leads to a high number of entries required in your ACLs. You seem to have rather strict security requirements - is it necessary?

I personally do not know about any approach that would significantly make your configuration easier. That follows from the source-destination pairs you have to create for every allowable communication between your VLANs. Even if they were specified only in one ACL instead of two (a combination of your ACLs with CBAC), it would remove a half of your ACL entries but the essential quadratic complexity (sources x receivers) is still there.

Best regards,

Peter

interedlb Thu, 09/03/2009 - 03:19

Hi Peter,

Thank you for your answer. So it seems that my plan will do the job, thank you. The three access list will allow communication between the three VLANs for specific hosts only.

Now regarding your question about my security requirement, all what I need to do is to block communication between the VLANs by default and allow communication between specific hosts only. Do you believe that this can be done in an "easier" way? Like maybe with less access lists or less entries? Maybe I can do it without having to submit TWO access lists entries each time I want to allow communication between two clients?

Thank you.

Raymond

Correct Answer
Jon Marshall Thu, 09/03/2009 - 03:36

Raymond

"Do you believe that this can be done in an "easier" way?"

Not really no. As Peter says you could use reflexive acl's or even CBAC which is an IOS firewall (altho it may not be supported on your device) which would allow you to maintain just one acl but even then you are still having to do specific src/dst entries.#

Edit - if you do find that this becomes unmanagebale because of the number of entries then you may want to question whether you have right devices on the right vlans ie. would moving certain devices into one of the other vlans negate the need for so many acl entries.

Jon

Actions

This Discussion