acl question

Unanswered Question

Hi! I;m trying to configure acl in 2 x 4506 sw running hsrp. Below are the vlans created and i'm trying to apply some acl rules into the vlan interfaces based on the remarks i stated in each vlan. Need someone to verfiy whether my concept of acl in a L3 sw is correct. Thanks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group In)

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)

access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255 log (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255 log (ip access-group out)

Vlan 20 (Finance vlan) - only office and svr vlan can access the finance vlan + finance vlan can only access svr and office vlan
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255 log (IP Access-group In)
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group Out)
access-list 104 permit ip 172.16.15.0 0.0.0.255 172.16.11.0 0.0.0.255 log (IP Access-group Out)


vlan 60 (server vlan) - 172.16.15.10 can only be accessed by office and finance vlan + all the other host in vlan 60 can be access by all the vlans+svr vlan can access all the vlans
access-list 105 permit ip 172.16.15.0 0.0.0.255 any log (IP Access-group In)
access-list 105 deny ip 172.16.12.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 105 deny ip 172.16.13.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 105 deny ip 172.16.14.0 0.0.0.255 host 172.16.15.10 log (IP Access-group Out)
access-list 106 permit ip any 172.16.15.0 0.0.0.0.255 log (IP Access-group Out)


vlan 30 (Management vlan) - can only access by svr vlan and vice versa
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 108 permit ip 172.16.15.0 0.0.0.255 172.16.12.0 0.0.0.255 log (Ip access-group out)


vlan 40 (Prod1 vlan) - can only access by svr vlan and vice versa
access-list 109 permit ip 172.16.13.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 110 permit ip 172.16.15.0 0.0.0.255 172.16.13.0 0.0.0.255 log (IP Access-group Out)


vlan 50 (Prod1 vlan) - can only access by svr vlan and vice versa
access-list 111 permit ip 172.16.14.0 0.0.0.255 172.16.15.0 0.0.0.255 log (IP Access-group In)
access-list 112 permit ip 172.16.15.0 0.0.0.255 172.16.14.0 0.0.0.255 log (IP Access-group Out)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Giuseppe Larosa Mon, 05/24/2010 - 11:18

Hello Dkblee,

the ACLs are correct but I would not use the log option on permit statement you can add a last statement

deny ip any any log

you should take care only of attempts to access resources, packets and flows matching the permit statements are not so important

this is to avoid to have the log buffer and syslog flooded by messages of permitted flows little interest in this.

There are also performance aspects to be considered the log option forces traffic to be process switched so it has to be avoided in permit statements in a multilayer switch.

Note also that you could apply only one ACL  for example in the inbound direction to achieve your objectives : it is enough to stop one direction to block communications between IP subnets.

ACL inbound applied on the SVI has source address = source address of that vlan

these inbound ACLs can act also as anti spoofing security measure.

We apply ACLs only inbound and in some special cases the outbound ACL is used to refine the control.

Edit:

Important note:

you need to allow HSRP messages or other routing protocol messages or they will be blocked causing an active/active scenario

you can use

permit udp source-subnet 0.0.0.255 host 224.0.0.2 eq 1985

HSRP uses UDP port 1985 and all routers in subnet 224.0.0.2 as destination

for OSPF

permit ospf source-subnet 0.0.0.255 host 224.0.0.5

permit ospf source-subnet 0.0.0.0.255 host 224.0.0.6

and so on

but the best choice is to make passive all client vlans = never used by routing protocols

a dedicated vlan for routing can be used

Hope to help

Giuseppe

hi!

which meant in the Eg1 below, my objective will still be achieved without acl 101 and 104?

As for Eg2. below, shd the denied src and dest be the other way round? i meant 172.16.15.10 as a src rather than a dest +applied as OUT instead of IN?

What need to be added in the management vlan (vlan30) below if i want to be able to ping all the vlans from vlan 30? pls give vlan 10 as an eg of one of the dest.

Another question is that with the acl i configured, can i ping or access any resources within the vlan30 subnet itself?

Thks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Eg1

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 (IP Access-group In)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255  (ip access-group out)



Vlan 20 (Finance vlan) - only office and svr vlan can access the finance vlan + finance vlan can only access svr and office vlan
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group In)
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255  (IP Access-group Out)
access-list 104 permit ip 172.16.15.0 0.0.0.255 172.16.11.0 0.0.0.255  (IP Access-group Out)

Eg2


vlan 60 (server vlan) - 172.16.15.10 can only be accessed by office and finance vlan + all the other host in vlan 60 can be access by all the vlans+svr vlan can access all the vlans
access-list 105 permit ip 172.16.15.0 0.0.0.255 any (IP Access-group In)

access-list 106 deny ip 172.16.12.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 deny ip 172.16.13.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 deny ip 172.16.14.0 0.0.0.255 host 172.16.15.10  (IP Access-group Out)
access-list 106 permit ip any 172.16.15.0 0.0.0.0.255  (IP Access-group Out)


vlan 30 (Management vlan) - can only access by svr vlan and vice versa
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 108 permit ip 172.16.15.0 0.0.0.255 172.16.12.0 0.0.0.255  (Ip access-group out)

Ganesh Hariharan Tue, 05/25/2010 - 10:37

which meant in the Eg1 below, my objective will still be achieved without acl 101 and 104?

As for Eg2. below, shd the denied src and dest be the other way round? i meant 172.16.15.10 as a src rather than a dest +applied as OUT instead of IN?

What need to be added in the management vlan (vlan30) below if i want to be able to ping all the vlans from vlan 30? pls give vlan 10 as an eg of one of the dest.

Another question is that with the acl i configured, can i ping or access any resources within the vlan30 subnet itself?

Thks.

vlan 10 172.16.10.x/24 Office vlan
vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

Eg1

Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255 (IP Access-group In)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255  (IP Access-group In)
access-list 101 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255  (IP Access-group Out)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255  (ip access-group out)


Hi,

As Giuseppe suggested and basic thumb rule for appling the acl in in bound direction and near to the source,I will just take an example for one rule so that you can deploy for other department.

vlan 10 172.16.10.x/24 Office vlan

vlan 20 172.16.11.x/24 Finance vlan
vlan 30 172.16.12.x/24 Management vlan
vlan 40 172.16.13.x/24 Prod1 vlan
vlan 50 172.16.14.x/24 Prod2 vlan
vlan 60 172.16.15.x/24 server vlan

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)
int vlan svr (vlan 60)
access-list 101 permit ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255(ip access-group in)
int vlan fin (vlan 20)
access-list 102 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255(ip access-group in)
With the above example you can easily deploy the acl with in direction to wards the required destination and can restrict at the start.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
narendrakumar1987in Tue, 06/01/2010 - 09:00

Dear Ganesh,

                 Your ACLs are absolutely fine except the one below

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)


                   Shouldn't the above ACL be applied outbound direction?

                    Because, i can interpret the above statement as,

                    do permit any ip traffic which is

                    ----> sourced from my subnet/Officevlan10/svi (172.16.10.0),

                    ----> destined to  finance vlan20  (172.16.11.0),

                    ----> "while this traffic is entering in to my  VLAN".

it should have rather been  "while it is exiting out of my VLAN".

Please note :

If you are very desparate in applying this satement  "inbound", you could very well place your statement under the SVI VLAN20

int vlan 20

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Happy networking !!!

Rgds,

Narendrakumar B

Remember to rate the helpful post!!

Ganesh Hariharan Tue, 06/01/2010 - 11:28

Dear Ganesh,

                 Your ACLs are absolutely fine except the one below

As per the requirement Vlan 10 (Office vlan) - only svr and finance vlan can access the office vlan + only office vlan can access finance vlan

So apply the acl in inbound direction in svr vlan interface and finance vlan interface for office vlan subnet and in office vlan interface towards the finance vlan subnet.
int vlan office (vlan 10)
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)


                   Shouldn't the above ACL be applied outbound direction?

                    Because, i can interpret the above statement as,

                    do permit any ip traffic which is

                    ----> sourced from my subnet/Officevlan10/svi (172.16.10.0),

                    ----> destined to  finance vlan20  (172.16.11.0),

                    ----> "while this traffic is entering in to my  VLAN".

it should have rather been  "while it is exiting out of my VLAN".

Please note :

If you are very desparate in applying this satement  "inbound", you could very well place your statement under the SVI VLAN20

int vlan 20

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Happy networking !!!

Rgds,

Narendrakumar B

Remember to rate the helpful post!!

Hi Narendrakumar,

If you see my previous post example vlan 20 is having a subnet of 172.16.11.x/24 Finance vlan and as per the requiremnet office vlan subnet to talk to finance subnet.Office vlan subnet is vlan 10 172.16.10.x/24 Office vlan, so if you say to apply the acl in int vlan 20 with source of office vlan 172.16.10.0 with access group in interface vlan 20, Better recommendation says apply acl from where the traffic is genrated.

Hope to Help !!

Ganesh.H

narendrakumar1987in Wed, 06/02/2010 - 08:50

Dear Ganesh,

          I totally agree with you that it is recommended to apply an extended acl from where the traffic is genrated.Because the traffic should not travel a long distance to know that it is getting denied .

          Hence, I agree with you that we are going to place the statement under "int vlan 10" only.

          But my confusion is applying it INBOUND or OUTBOUND. You have applied it inbound (match when the traffic is coming in). Shouldnt that be applied outbound (match when the traffic is going out).

your Statement :

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Shouldn't the above ACL be applied outbound direction? as follows

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group out)

          Please correct me if I'm wrong.

          I would greatly appreciate you, if you can let me know if there is any difference between the above statements in this scenario.

          I totally understand how the inbound and outbound statements work when applied under a physical interface. But I'm struck here with my understanding, since we are applying the statement under an SVI.

          In short, my question is, "Does ACL statements makes no difference on how it is going to function, when applied under an SVI (like int vlan 10), irrespective of the direction they are being applied."?

Thanks 4 ur time n Happy Networking !!!

Rgds,

Narendrakumar B

Ganesh Hariharan Wed, 06/02/2010 - 09:12

Dear Ganesh,

          I totally agree with you that it is recommended to apply an extended acl from where the traffic is genrated.Because the traffic should not travel a long distance to know that it is getting denied .

          Hence, I agree with you that we are going to place the statement under "int vlan 10" only.

          But my confusion is applying it INBOUND or OUTBOUND. You have applied it inbound (match when the traffic is coming in). Shouldnt that be applied outbound (match when the traffic is going out).

your Statement :

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group in)

Shouldn't the above ACL be applied outbound direction? as follows

int vlan 10

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255(ip access-group out)

          Please correct me if I'm wrong.

          I would greatly appreciate you, if you can let me know if there is any difference between the above statements in this scenario.

          I totally understand how the inbound and outbound statements work when applied under a physical interface. But I'm struck here with my understanding, since we are applying the statement under an SVI.

          In short, my question is, "Does ACL statements makes no difference on how it is going to function, when applied under an SVI (like int vlan 10), irrespective of the direction they are being applied."?

Thanks 4 ur time n Happy Networking !!!

Rgds,

Narendrakumar B

Hi Narendrakumar,

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or the vlan machines for which the traffic will be coming.In short if an access-list applied outbound direction to a vlan interface filters traffic going TO machines on that vlan and An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

Now for your query if we apply the acl in outbound direction on vlan interface 10 as per the requirement vlan 10 traffic needs to talk to vlan 11 traffic that why i have asked to place the acl in direction on vlan 10,If you apply that acl in out direction source ip address is itself is the vlan address subnet in this acl will not work.

Hope to clear your query !!

Ganesh.H

narendrakumar1987in Wed, 06/02/2010 - 10:41

Dear Ganesh,

               Thankyou very much for your clarification. And your post is rated !!! Cheerz!!!!

Happy Networking!!!!!

Rgds

Narendrakumar B

Giuseppe Larosa Tue, 05/25/2010 - 10:46

Hello,

yes inbound ACLs are enough

please take note of advice for HSRP messages or you will be in trouble with HSRP

Hope to help

Giuseppe

i tried the method mentioned by both of you which use only inbound acl and near to the src. It worked fine, except a few issues

1) Even if i allowed my mgt network to access all the vlan by applying "ip access-grp in" in the
Mgt vlan ("access-list 107 permit 172.16.12.0 0.0.0.255 ), i'm not able to telnet or ping any other vlan except the mgt vlan itself. This happened only
if i do the pinging and telneting from within the switch. It works fine if from the hosts connected to the sw with mgt vlan.

2) With the access-list below (use access-list 100 as a reference, is it norm that i'm not able to ping my office gw, but only able to ping host within that vlan?
do i need to include the office gw in the acl?

3) In all the scenarios above i applied only inbound acl, so how do i know when to use the outbound acl? can give a eg?

4) In the svr vlan, if i want to allow 172.16.15.10 to be able to reach prod1, prod2's hosts what need to be done? in the config below i noticed that i can
only reach the prod1,2 gw from 172.16.15.10 but not the host within prod1.

I also noticed that the acl application in L3 switch is different from router's physical interface.....actually it's quite confusing
between these 2. Can elaborate a bit on the different between these 2? I think in the router side, the inbound acl is any traffic coming
in to the router (the src is external traffic and the dest is segment within the router). This is different from the L3 sw interface, whereby
the IN's source is from the routers and dest is external to the router.

5) do i need to put the permit eigrp or ospf command in every vlan interfaces?

Thanks for the help.

!
172.16.10.x/24 Office vlan - Applied Inbound
----------------------------------------------
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.11.0 0.0.0.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 100 permit udp 172.16.10.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 100 permit eigrp 172.16.10.0 0.0.0.255 any

172.16.11.x/24 Finance vlan - Applied Inbound
------------------------------------------------
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 172.16.11.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 103 permit udp 172.16.11.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 103 permit eigrp 172.16.11.0 0.0.0.255 any

172.16.15.x/24 Svr vlan - Applied inbound
--------------------------------------------
access-list 105 permit ip 172.16.15.0 0.0.0.255 any
access-list 105 permit udp 172.16.15.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 105 permit eigrp 172.16.15.0 0.0.0.255 any

172.16.12.x/24 Mgt vlan - Applied Inbound
------------------------------------------
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.11.0 0.0.0.255
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.12.0 0.0.0.255
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.13.0 0.0.0.255
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.14.0 0.0.0.255
access-list 107 permit ip 172.16.12.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 107 permit udp 172.16.12.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 107 permit eigrp 172.16.12.0 0.0.0.255 any

172.16.13.x/24 Prod1 vlan - Applied Inbound
-----------------------------------------------
access-list 109 deny   ip 172.16.13.0 0.0.0.255 host 172.16.15.10
access-list 109 permit ip 172.16.13.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 109 permit udp 172.16.13.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 109 permit eigrp 172.16.13.0 0.0.0.255 any

172.16.14.x/24 Prod2 vlan - Applied Inbound
---------------------------------------------
access-list 110 deny   ip 172.16.14.0 0.0.0.255 host 172.16.15.10
access-list 110 permit ip 172.16.14.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 110 permit udp 172.16.14.0 0.0.0.255 host 224.0.0.2 eq 1985
access-list 110 permit eigrp 172.16.14.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end

Actions

This Discussion