Can Cat-3750 support ACL applied to a L3 vlan?

Unanswered Question
Apr 6th, 2010

I have a 3750 catalyst (12.2(46)SE) with eigrp routing turned on and three L3 vlan interfaces created. I need to limit the IP access to/from a particular host in one of the vlans to just TCP port 80. So I created an extended ACL and applied it to the vlan interface such as:

int vlan 54

ip address 10.1.1.1 255.255.255.0

ip access-group Block_PC_to_WWW_only in

ip helper-address 10.3.1.25

ip access-list extended Block_PC_to_WWW_only
permit tcp host 10.1.1.50 eq 80 any
permit tcp any host 10.1.1.50 eq 80
permit tcp host 10.1.1.50 any eq 80
permit tcp any eq 80 host 10.1.1.50
deny   ip any host 10.1.1.50
deny   ip host 10.1.1.50 any
permit ip any any

When I apply the ACL to the vlan, not only can I access the web from 10.1.1.50, but I can telnet to other devices outside of vlan 54. As can be seen from the ACL counters, nothing is hitting the permit statements except the permit at the end.

VoIP-MDF-3750-54-1#sh access-list Block_PC_to_WWW_only
Extended IP access list Block_PC_to_WWW_only
    10 permit tcp host 10.1.1.50 eq 80 any
    20 permit tcp any host 10.1.1.50 eq 80
    30 permit tcp host 10.1.1.50 any eq 80
    40 permit tcp any eq 80 host 10.1.1.50
    50 deny ip any host host 10.1.1.50
    60 deny ip host host 10.1.1.50 any (104 matches)
    70 permit ip any any (259 matches)

Am I doing this wrong?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 04/06/2010 - 14:22

Hi,

Everything is working because of the last permit ip any any statement.

If you attempt a connection to 10.1.1.50 on port 80, it should match the first permit statements.

The question is, is the www traffic that you're testing in fact entering int vlan 54?

Federico.

Collin Clark Tue, 04/06/2010 - 14:29

Also, Don't hold the hit counts as gospel.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

If you really want it to log you should permit a deny tcp/udp equal to 0, then add your permits and add log at the end of each permit (that should be temporary or you could get very large logs). As Federico mentioned, the permit ip any any is allowing everything through.

Jon Marshall Tue, 04/06/2010 - 14:26

jkeeffe wrote:

I have a 3750 catalyst (12.2(46)SE) with eigrp routing turned on and three L3 vlan interfaces created. I need to limit the IP access to/from a particular host in one of the vlans to just TCP port 80. So I created an extended ACL and applied it to the vlan interface such as:

int vlan 54

ip address 10.1.1.1 255.255.255.0

ip access-group Block_PC_traffic_to_WWW_only in

ip helper-address 10.3.1.25

ip access-list extended Block_PC_to_WWW_only
permit tcp host 10.1.1.50 eq 80 any
permit tcp any host 10.1.1.50 eq 80
permit tcp host 10.1.1.50 any eq 80
permit tcp any eq 80 host 10.1.1.50
deny   ip any host 10.1.1.50
deny   ip host 10.1.1.50 any
permit ip any any

When I apply the ACL to the vlan, not only can I access the web from 10.1.1.50, but I can telnet to other devices outside of vlan 54. As can be seen from the ACL counters, nothing is hitting the permit statements except the permit at the end.


Your problem is that the acl is applied inbound so it won't affect traffic from host 10.1.1.50 outbound to any destinations not on that vlan eg.

permit tcp host 10.1.1.50 eq 80 any

this line will never be hit because the source is 10.1.1.50 and inbound traffic to vlan 54 will never have a source IP of 10.1.1.50.

However it's not as simple as just applying an acl outbound as well because this would block return http traffic from 10.1.1.50 to clients that had initiated a connection.

So you need to use the established keyword or look at reflexive access-lists. However on the 3750 i don't think reflexive acls are supported so you could try the established keyword.

What exactly do you want to do with host 10.1.1.50 ?  ie. you only want to allow http connections to it from outside but what about from that host ?

Jon

Actions

This Discussion