How to limit traffic to a host with a VACL

pweinhold · ‎08-30-2010

I'd like to limit access to a particular server so that only two specific hosts can access this server. The server is connected via a LAN switch port that is configured as an access port for the Server VLAN. Initially I'd planned to apply an ACL to the LAN port, but ACLs on Layer 2 ports can only be applied to ingress traffic, meaning that I could restrict traffic coming from the server, but not traffic going to the server. So my next option was to put the ACL on the VLAN (VACL). Assuming the server is 10.0.0.1 and the hosts that I want to allow communication with are 10.100.0.1 and 10.100.0.2, I'm thinking my ACL will look like this:

3750_switch#sh ip access-lists
Extended IP access list Test
10 permit ip host 10.100.0.1 host 10.0.0.1
20 permit ip host 10.100.0.2 host 10.0.0.1

But there are many other servers on this VLAN, so how do I apply this ACL to the VLAN without affecting or restricting access to the other servers? An ACL has an implicit deny at the end, so if I apply the ACL as it's configured above, it will allow communications between my server and those two hosts, but every other packet traversing the VLAN will be dropped. On the other hand, if I add "permit ip any an" at the end of the ACL, then any IP traffic will be permitted to access my server.

Any ideas are appreciated. Thanks.

Jon Marshall · ‎08-30-2010

pweinhold wrote:

I'd like to limit access to a particular server so that only two specific hosts can access this server. The server is connected via a LAN switch port that is configured as an access port for the Server VLAN. Initially I'd planned to apply an ACL to the LAN port, but ACLs on Layer 2 ports can only be applied to ingress traffic, meaning that I could restrict traffic coming from the server, but not traffic going to the server. So my next option was to put the ACL on the VLAN (VACL). Assuming the server is 10.0.0.1 and the hosts that I want to allow communication with are 10.100.0.1 and 10.100.0.2, I'm thinking my ACL will look like this:

3750_switch#sh ip access-lists
Extended IP access list Test
10 permit ip host 10.100.0.1 host 10.0.0.1
20 permit ip host 10.100.0.2 host 10.0.0.1

But there are many other servers on this VLAN, so how do I apply this ACL to the VLAN without affecting or restricting access to the other servers? An ACL has an implicit deny at the end, so if I apply the ACL as it's configured above, it will allow communications between my server and those two hosts, but every other packet traversing the VLAN will be dropped. On the other hand, if I add "permit ip any an" at the end of the ACL, then any IP traffic will be permitted to access my server.

Any ideas are appreciated. Thanks.

10 permit ip host 10.100.0.1 host 10.0.0.1

20 permit ip host 10.100.0.2 host 10.0.0.1

30 deny ip any host 10.0.0.1

40 permit ip any 10.0.0.0 0.0.0.255

this acl would be applied outbound on the L3 server vlan interface ie.

int vlan 10 <-- server vlan

ip access-group 101 out

Jon

pweinhold · ‎08-31-2010

Yes, that makes sense...allow the specific hosts to reach the server, then prohibit any other hosts from reaching the server, then allow all other traffic to reach the subnet.

Thanks very much - I'll test it out.

pweinhold · ‎10-15-2010

Sorry for the late reply, but when I checked this, it didn't appear to be blocking anything. When I do a "show ip access-lists Limit_Access", I get something like this:

Extended IP access list Limit_Access

10 permit ip host 10.100.0.1 host 10.0.0.1

20 permit ip host 10.100.0.2 host 10.0.0.1

30 deny ip any host 10.0.0.1

40 permit ip any 10.0.0.0 0.0.0.255 (540349 matches)

So what that tells me is that the only matches this ACL is acting on are on the last line, allowing any host access to the subnet. Anyone have any ideas why this wouldn't be working? See the thread for the history on what I'm trying to do.

Thanks.

Jon Marshall · ‎10-15-2010

Have you applied it outbound on the server vlan 10.0.0.0/24 ?

Have you tried to connect to the 10.0.0.1 server from either one of the hosts allowed or the rest of the 10.100.0.x subnet which should be denied ?

Jon

pweinhold · ‎10-18-2010

Yes, I've applied it outbound on that VLAN. Specificially I applied it to the VLAN interface. The config looks like this:

Interface Vlan 100

description Server VLAN

ip address 10.0.0.10 255.255.255.0

ip access-group Restrict_Acccess out

Thanks.

pweinhold · ‎03-11-2011

In case anyone's interested, I finally found a way to make this work. I had to first create an extended ACL, similar to the one

that was posted earlier in this thread. It basically looked like this:

Extended IP access list Limit_Access

10 permit ip host 10.100.0.1 host 10.0.0.1

20 permit ip host 10.100.0.2 host 10.0.0.1

30 deny ip any host 10.0.0.1

40 permit ip any any

So I first allow access to the server from my specificed hosts, then I deny anyone else access to the server, then I allow any-any access to everyone else.

Then I had to create a VLAN access map that matched on the ACL, then I configured a VLAN filter that referenced the access map, and I applied the filter to my server VLAN. So I guess the switch basically checks this filter against everything entering that VLAN, and it filters traffic according to the access map and the ACL.

I think there are more ways of doing this, but this worked for me. It's definitely more complicated when you're trying to apply an ACL to a VLAN, as opposed to a routed interface. I referenced this document, although I implemented my config somewhat differently:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_vlanacls.pdf