Guest VLAN ACL

DJX995 · ‎05-09-2014

Can someone double check this ACL I wrote that is suppose to restrict traffic on a Guest VLAN from accessing anything on the internal network besides a few services (HTTP(s),DNS,DHCP).

I applied it directly to the VLAN SVI and it seems to work but I wanted a second opinion.

Thanks!

interface Vlan101
 ip access-group VLAN101-IPv4-In in
 ip access-group VLAN101-IPv4-Out out

ip access-list extended VLAN101-IPv4-In
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443
 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq bootpc
 deny   ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255
 permit ip any any
ip access-list extended VLAN101-IPv4-Out
 permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
 permit tcp 172.16.10.0 0.0.0.255 eq www 172.16.101.0 0.0.0.255
 permit tcp 172.16.10.0 0.0.0.255 eq 443 172.16.101.0 0.0.0.255
 permit udp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
 permit udp 172.16.10.0 0.0.0.255 eq bootps 172.16.101.0 0.0.0.255
 deny   ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
 permit ip any any

Richard Burts · ‎05-09-2014

You have not provided information about the topology of the network so we are forced to make assumptions. Assuming that the Guest VLAN is vlan 101 and that the address of its subnet is 172.16.101.0/24 and that the internal network consists only of 172.16.1.0, 172.16.2.0, 172.16.10.0, and 172.16.100.0 then these access lists would be pretty effective in preventing devices on the Guest VLAN from communicating with the internal network other than DNS, HTTP, HTTPS, and DHCP, except that I believe that your logic for DHCP is flawed.

The in ACL will be looking for requests from clients to servers and so the port should be bootps rather than bootpc. And the out ACL will be looking for responses from server to client so you should be checking the destination port rather than the source port as your current ACL does, and the port should be bootpc.

HTH

Rick

HTH

Rick

DJX995 · ‎05-09-2014

You are correct on the topology.

Thank you

Is this correct?

ip access-list extended VLAN101-IPv4-In
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443
 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq bootps
 deny   ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255
 permit ip any any
ip access-list extended VLAN101-IPv4-Out
 permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq domain
 permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq www
 permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq 443
 permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq domain
 permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq bootpc
 deny   ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
 permit ip any any

Richard Burts · ‎05-09-2014

Yes this should be correct.

HTH

Rick

HTH

Rick

DJX995 · ‎05-09-2014

That didn't work.
I had to change the OUT acl back to matching the source port:

permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255

I'm still not getting matches on my other permit statements so I guess I just have to keep messing with it.

Richard Burts · ‎05-09-2014

I should have read your revised ACL more carefully. I checked the change for DHCP but did not notice that you had changed checking the ports from checking source ports (as in the original ACL) to changing destination ports for all the protocols. You want to check the destination port for bootpc but for the other protocols you should be checking the source ports.

HTH

Rick

HTH

Rick

DJX995 · ‎05-09-2014

So, my IN acl is correct, we are just working on the OUT?

Shouldn't I change the DHCP IN acl too?

Is this correct?

ip access-list extended VLAN101-IPv4-In
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
 permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443
 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
 permit udp 172.16.101.0 0.0.0.255 eq bootps 172.16.10.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255
 deny   ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255

ip access-list extended VLAN101-IPv4-Out
 permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
 permit tcp 172.16.10.0 0.0.0.255 eq www 172.16.101.0 0.0.0.255
 permit tcp 172.16.10.0 0.0.0.255 eq 443 172.16.101.0 0.0.0.255
 permit udp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
 permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq bootpc
 deny   ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255
 deny   ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
 permit ip any any

Thank you for helping me.

Richard Burts · ‎05-10-2014

I am afraid this is not correct. Let me try to explain it in this way:

for DNS, WWW, and HTTPS/443 the client chooses some port as the source and the server port is known. So when you write the inbound access list the known port is the destination port. So your "in" ACL should check destination port for these protocols. And for your "out" ACL these ports would be the source port.

DHCP is a bit different. The client sends requests to destination port bootps and the server sends responses to destination port bootpc. So your "in" ACL needs to check the destination port for bootps and your "out" ACL needs to check the destination port for bootpc.

HTH

Rick

HTH

Rick

DJX995 · ‎05-10-2014

Ok thanks.

So just change the IN ACL back to checking bootps on the destination and I'm all set.

Richard Burts · ‎05-10-2014

I believe so. Make the change, test, and let us know the results.

HTH

Rick

HTH

Rick