05-09-2014 10:42 AM - edited 03-07-2019 07:24 PM
Can someone double check this ACL I wrote that is suppose to restrict traffic on a Guest VLAN from accessing anything on the internal network besides a few services (HTTP(s),DNS,DHCP).
I applied it directly to the VLAN SVI and it seems to work but I wanted a second opinion.
Thanks!
interface Vlan101 ip access-group VLAN101-IPv4-In in ip access-group VLAN101-IPv4-Out out
ip access-list extended VLAN101-IPv4-In permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq bootpc deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255 permit ip any any ip access-list extended VLAN101-IPv4-Out permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255 permit tcp 172.16.10.0 0.0.0.255 eq www 172.16.101.0 0.0.0.255 permit tcp 172.16.10.0 0.0.0.255 eq 443 172.16.101.0 0.0.0.255 permit udp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255 permit udp 172.16.10.0 0.0.0.255 eq bootps 172.16.101.0 0.0.0.255 deny ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255 permit ip any any
05-09-2014 11:25 AM
You have not provided information about the topology of the network so we are forced to make assumptions. Assuming that the Guest VLAN is vlan 101 and that the address of its subnet is 172.16.101.0/24 and that the internal network consists only of 172.16.1.0, 172.16.2.0, 172.16.10.0, and 172.16.100.0 then these access lists would be pretty effective in preventing devices on the Guest VLAN from communicating with the internal network other than DNS, HTTP, HTTPS, and DHCP, except that I believe that your logic for DHCP is flawed.
The in ACL will be looking for requests from clients to servers and so the port should be bootps rather than bootpc. And the out ACL will be looking for responses from server to client so you should be checking the destination port rather than the source port as your current ACL does, and the port should be bootpc.
HTH
Rick
05-09-2014 11:31 AM
You are correct on the topology.
Thank you
Is this correct?
ip access-list extended VLAN101-IPv4-In permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq bootps deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255 permit ip any any ip access-list extended VLAN101-IPv4-Out permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq domain permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq www permit tcp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq 443 permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq domain permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq bootpc deny ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255 permit ip any any
05-09-2014 11:39 AM
Yes this should be correct.
HTH
Rick
05-09-2014 01:07 PM
That didn't work.
I had to change the OUT acl back to matching the source port:
permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
I'm still not getting matches on my other permit statements so I guess I just have to keep messing with it.
05-09-2014 01:33 PM
I should have read your revised ACL more carefully. I checked the change for DHCP but did not notice that you had changed checking the ports from checking source ports (as in the original ACL) to changing destination ports for all the protocols. You want to check the destination port for bootpc but for the other protocols you should be checking the source ports.
HTH
Rick
05-09-2014 02:02 PM
So, my IN acl is correct, we are just working on the OUT?
Shouldn't I change the DHCP IN acl too?
Is this correct?
ip access-list extended VLAN101-IPv4-In permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443 permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain permit udp 172.16.101.0 0.0.0.255 eq bootps 172.16.10.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 deny ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list extended VLAN101-IPv4-Out permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255 permit tcp 172.16.10.0 0.0.0.255 eq www 172.16.101.0 0.0.0.255 permit tcp 172.16.10.0 0.0.0.255 eq 443 172.16.101.0 0.0.0.255 permit udp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255 permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq bootpc deny ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 deny ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255 permit ip any any
Thank you for helping me.
05-10-2014 03:03 PM
I am afraid this is not correct. Let me try to explain it in this way:
for DNS, WWW, and HTTPS/443 the client chooses some port as the source and the server port is known. So when you write the inbound access list the known port is the destination port. So your "in" ACL should check destination port for these protocols. And for your "out" ACL these ports would be the source port.
DHCP is a bit different. The client sends requests to destination port bootps and the server sends responses to destination port bootpc. So your "in" ACL needs to check the destination port for bootps and your "out" ACL needs to check the destination port for bootpc.
HTH
Rick
05-10-2014 05:40 PM
Ok thanks.
So just change the IN ACL back to checking bootps on the destination and I'm all set.
05-10-2014 06:29 PM
I believe so. Make the change, test, and let us know the results.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide