02-27-2009 09:39 AM - edited 03-06-2019 04:18 AM
I am looking to create a secure vlan where only specific vlans (or hosts) can access it on a given port. For example
int vlan10
ip address 192.168.1.1 255.255.255.0
And only the following can access it:
192.168.20.0\24 port 3389
192.168.30.0\24 port 22, 25, 80
vlan10 should be able to access the above segments as well.
Is this correct:
access-list 100 permit tcp 192.168.20.0 255.255.255.0 any eq 3389
access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 22
access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 25
access-list 100 permit tcp 192.168.30.0 255.255.255.0 any eq 80
int vlan10
ip address 192.168.1.1 255.255.255.0
access-group in 100
access-group out 100
Question:
access-group in 100 means that all traffic that means the acl 100 condition is permitted inbound to the vlan, is that correct? and access-group out 100 means that acl100 is permitted on the outbound, is that correct?
Any examples online?
02-27-2009 09:48 AM
Inbound is traffic coming from a host within the VLAN to the SVI and outbound means traffic from other networks entering your vlan
Take your SVI 10 as an example:-
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip access-group vlantest in
ip access-list extended vlantest
permit icmp 192.168.1.0 0.0.0.255 any
You can see that this ACL has been applied inbound and when I ping from host 192.168.1.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-
R0#sh ip access-lists
Extended IP access list vlantest
10 permit icmp 192.168.1.0 0.0.0.255 any (15 matches)
Hope that helps
02-27-2009 09:54 AM
Hello Roni,
you cannot apply the same extended ACL in both directions one of the two will be blocking all traffic.
Usually, the ACL can be thought as inbound on the secure Vlan.
the following is an example:
notice that TCP ports in a socket are different.
So first of all we need to understand where the well known port is.
the servers are in the secure vlan so the TCP well known port is in position source just after the source portion of the ACL line
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.20.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.20.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.20.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.20.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 3389 192.168.30.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 22 192.168.30.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 25 192.168.30.0 0.0.0.255
access-list 131 permit tcp 192.168.1.0 0.0.0.255 eq 80 192.168.30.0 0.0.0.255
you may want to permit other traffic like icmp
at the end you apply the ACL inbound on vlan 10 and only inbound
int vlan 10
access-group 131 in
if you examine a TCP socket it is something like
192.168.1.100:80 --- 192.168.20.33:3023
well known dynamic
in one direction traffic have
source 192.168.20.33 dest 192.168.1.100
the tcp header have the ports that follow the position of the addresses
for this reason the same extended ACL cannot match on both directions unless contain the double of lines with socket inverted
Hope to help
Giuseppe
02-27-2009 11:34 AM
Giuseppe, thanks for the feedback, this helps a lot!
So based on the access-group you defined, ie:
int vlan 10
access-group 131 in
this means that 192.168.1.0 0.0.0.255 can only access the destination IP's based on the ACL (one way).. so outgoing traffic is permitted on vlan10 based on the ACL condition. Is that correct?
But what would be the behavior of traffic from the vlans (192.168.20.0 & 192.168.30.0) to vlan10. As far as I see based on the access-group, it is all permitted, is that right?
If traffic from 192.168.20.0 & 192.168.30.0 should be restriced to vlan10, is there a need for another set of ACL and apply it to vlan10 access-group out
02-27-2009 12:14 PM
Hello Ron,
no strict need of a second ACL because successful communication require bidirectional connectivity.
to make an example an icmp packet can reach server 192.168.10.100 even with an arbitrary source but the answer is filtered by inbound ACL 131.
I understand for better security it can help to have also an outbound acl.
But if an outbound ACL is felt as needed it has to be different from the ACL applied inbound as I explained in my first post.
Hope to help
Giuseppe
02-27-2009 12:37 PM
What I'm saying is that none of the internal vlans (192.168.20, 30) should be able to access the secure vlan (192.168.1.1) given it's a secure vlan. That secure vlan should only be able to access specific vlans but no internal vlans should be able to initiate traffic to it. How does that change your answeR?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: