cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
717
Views
2
Helpful
3
Replies

Restricted Access to users via ACLs

Sihanu N
Level 1
Level 1

Hi Experts,

We have a network setup mentioned below and currently all users at the Quarters location is able to access the corporate network by giving the gateway as ip address of HSRP Vlan 1. And we are planning to block the unauthorized access by the following method.

1) Creating a named ACL allowing the ip addresses used by the devices in vlan 1 inside the corporate network and users static ip who need to access the corporate network(privileged users)

2) Implementing ACL to interface VLAN 1 as inbound in both core switches

3) Since the implicit deny by the ACL is there the un-authorized  users will automatically blocked

Network Diagram.jpg

My Queries

1) Is the allowed ip ranges are enough to block the un-authorized access without any other issues for the normal traffic flow for the vlan traffic?

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

Please post you valuable comments, suggestions and advice regarding blocking plan

Thanks and Regards,

Sihanu N

1 Accepted Solution

Accepted Solutions

Hi,

My suggestions are:

1) Is the allowed ip ranges are enough to block the un-authorized  access without any other issues for the normal traffic flow for the vlan  traffic?

suppose your int vlan 1's ip address configured as 192.168.1.1 255.255.255.0, then

You can config standard ACLs like below:

access-list NUMBER permit 192.168.1.4

access-list NUMBER permit 192.168.1.7

.

.

access-list NUMBER permit 192.168.1.235

list all IP addresses you want to allow access the network in that access-list then apply this access-list to int vlan 1.

Now all other traffic send with source IP addresses that is not in that list will not be able to get to any network except 192.168.1.0/24 (which is vlan 1's network). This means guests could only communicate with Quarters and nothing else, including Internet.

The drawback of this solution is that guests could simply change their ip to any ip in your list then he will bypass your ACL.

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

AFAIK, most of current cisco platform perform ACL in ASIC per interface. a ACL applied to vlan will inherent to all physical ports configured with that vlan. so there will not increase CPU utilization.

View solution in original post

3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

If I understand your question correctly, you only have one vlan for both the guest house and the users with static IPs.

If you want to block vlan 1 from being accessed by the guest house users, than you can put the guest house users in a different vlan and apply an ACL (outbound) to vlan 1 to block the guest house users.

HTH

Hi Reza,

Thanks for you reply,

The current setup doesnt allow us to split the users into two vlans as the devices at the quarters(including guests) locations are unmanageable. Also the static ips given for the guests and legitimate users cannot be differentiated into two ranges as it is given.(IP addresses are not assigned in a proper order).

1) Please confirm whether the proposed plan by me will work with no issues?

Thanks and Regards,

Sihanu N

Hi,

My suggestions are:

1) Is the allowed ip ranges are enough to block the un-authorized  access without any other issues for the normal traffic flow for the vlan  traffic?

suppose your int vlan 1's ip address configured as 192.168.1.1 255.255.255.0, then

You can config standard ACLs like below:

access-list NUMBER permit 192.168.1.4

access-list NUMBER permit 192.168.1.7

.

.

access-list NUMBER permit 192.168.1.235

list all IP addresses you want to allow access the network in that access-list then apply this access-list to int vlan 1.

Now all other traffic send with source IP addresses that is not in that list will not be able to get to any network except 192.168.1.0/24 (which is vlan 1's network). This means guests could only communicate with Quarters and nothing else, including Internet.

The drawback of this solution is that guests could simply change their ip to any ip in your list then he will bypass your ACL.

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

AFAIK, most of current cisco platform perform ACL in ASIC per interface. a ACL applied to vlan will inherent to all physical ports configured with that vlan. so there will not increase CPU utilization.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: