Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

edw
New Member

VLAN ACL's

Hi,

I have a intreasting question. I have a Catalyst 6006 with MSFC card. I run, say 4 VLANS.

I want to, say, block VLAN 3 from the rest but allow say a VLAN 3 machine to access HTTPS and DNS. What is the best way and most secure way of doing it ? I seem to have to make two groups in and out on my router before traffic will flow ?

ip access-list standard Events

permit 10.1.3.0 0.0.0.255

deny 10.0.0.0 0.255.255.255

permit any

interface vlan 3

ip access-group Events in

ip access-group Events out

Seems a odd way to get a ACL to work ? Having to get in and out duplication??

Another one is say to lock it down better

ip access-list standard Events-IN

permit udp host 10.1.3.6 gt 1024 any eq domain

permit tcp host 10.1.3.6 any eq 443

deny ip 10.1.3.0 0.0.0.255 any

permit ip any any

ip access-list standard Events-OUT

permit udp any eq domain host 10.1.3.6 gt 1024

permit tcp any eq 443 host 10.1.3.6

deny ip any 10.1.3.0 0.0.0.255

permit ip any any

interface vlan 3

ip access-group Events-IN in

ip access-group Events-OUT out

Why do I have to do it like this - isn't this pointless ?? If I only do Events-IN no traffic seems to go through ?

Am I misunderstanding things ?

Thanks for any help

Ed

16 REPLIES

Re: VLAN ACL's

If you're really only concerned about your acl allowing traffic for https and dns from vlan 3 but nothing else, try:

ip access-list ext VLAN3

permit tcp 10.1.3.0 0.0.0.255 any eq https

permit udp 10.1.3.0 0.0.0.255 any eq domain

deny ip any any

Apply it inbound on VLAN3 only.

int vlan3

ip access-group VLAN3 in

If you're using the outbound acls on your svi, try taking them off if you're using them for this purpose and nothing else.

HTH,

John

HTH, John *** Please rate all useful posts ***
edw
New Member

Re: VLAN ACL's

Hi,

Thanks for the reply. However when I try to place a incoming data packet I have to place in the both directions.

How would some one say have https coming from the vlan and say VNC going into the vlan ?

Thanks

Ed

New Member

Re: VLAN ACL's

You can also apply something like this.

ip access-list ex VLAN_3_FILTER

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 53

permit tcp any eq 53 any

vlan access-map VLAN_3_MAP 10

match add VLAN_3_FILTER

action forward

vlan access-map VLAN_3_MAP 20

action drop

vlan filter-list VLAN_3_MAP vlan 3

Of course, You can be more specific with the ACL but thats just an example.

edw
New Member

Re: VLAN ACL's

Hi,

Thanks for the reply. However when I try to place a incoming data packet I have to place in the both directions.

How would some one say have https coming from the vlan and say VNC going into the vlan ?

Thanks

Ed

edw
New Member

Re: VLAN ACL's

Hi,

Does anyone have any pointers on this as I'm confused ?

Thanks

Ed

New Member

Re: VLAN ACL's

exaclty as above

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 53

permit tcp any eq 53 any

permit tcp any any eq 5900 (or whatever you use for vnc)

edw
New Member

Re: VLAN ACL's

Hi,

Okay - what I don't understand is - that on a ACL on a PIX firewall I only have to make the entry of the traffic going out. IE if I was a client on the vlan I would only need to have

permit tcp any any eq www

So why do I also have to have the reverse ?

permit tcp any eq www any ?? The logic doesn't seem to be this is just duplicating work loads ?

Thanks

Ed

New Member

Re: VLAN ACL's

you can allow the traffic out of the vlan, without adding the reverse the traffic will never get back to the pc and will be dropped with the "action drop" command as mentioned by John previously

vlan access-map VLAN_3_MAP 20

action drop

Cheers

Matt

edw
New Member

Re: VLAN ACL's

Hi,

Thanks again for making this clearer.

Okay so everytime I have to add an outgoing connection such as www I have to also add the reverse of this.

Is this not a security flaw in the design. This would mean a internal vlan PC needs to access the internet ( 0.0.0.0 - any etc) I have to add the reverse for it coming in. Which in turn means anyone on another vlan etc which has the same privledges, IE access to any, could get into the internal webserver of that machine??

My problem in my mind is, for a system it seems overly complicated and mass of admin and pron to user errors and also problems.

Why is it different from a PIX style ACL? A PIX would automatically open the incoming part of those packets therefore a PIX is much more secure?

Thanks

Ed

New Member

Re: VLAN ACL's

The pix uses CBAC to open the port dynamically I think.

You wouldn't give the vlan access to the internet, just tweak the access-list to allow certain ports to talk to your proxy server etc then reverse to allow the proxy server to talk to the internal ips.

You are however correct,

the command

permit tcp any any eq www

will permit traffic in both directions using port 80

you need to use in both directions when you are gettin granular with the server addresses you wish to use etc

IE

permit tcp 192.168.0.1 0.0.0.255 any eq www

this will only allow traffic out and will not permit the traffic back in.

Regards

Matt

edw
New Member

Re: VLAN ACL's

Okay - so to clarify using say

permit tcp 192.168.0.1 0.0.0.255 any eq www

ww would not work unless I added

permit tcp any eq www 192.168.0.1 0.0.0.255

Thanks

Ed

New Member

Re: VLAN ACL's

to clear things up a little. The purpose of a VACL is so you can permit or deny traffic INSIDE your VLAN itself (machine in the same layer 2 domain). When you said "deny vlan 3 and permit dns etc...I took this as something you wanted. If you are just looking for traffic going in and out of VLAN 3 than you can just use "ip access group OUTSIDE out/ INSIDE in statement on the VLAN 3 SVI. If you just worried about inbound traffic than just use an access-group inbound on the VLAN. a Cisco pix would use Zone based firewall services. It inspects traffic going outbound and permits it back in dynamically. Let me know if this answered you questions. Let me know if I can be of more assitance. thanks

edw
New Member

Re: VLAN ACL's

Hi,

I really want for instance to lock a vlan down so that the internal PC's in that vlan can access a NTP and DNS. But people on another vlan for instance can access VNC on those PC's(5090 i think from memory)

Thanks for helping clear my muggled mind ( I have read all the Cisco blurb and do use alot of Cisco but hey perhaps I've just read to much ;))

Thanks

Ed

New Member

Re: VLAN ACL's

oh yeah... course it is ;-)

overcomplicated it in my head too

tho, with the ACLS you will need to explicitly permit both ways if you restrict it fully using source and dest addresses.

Matt

New Member

Re: VLAN ACL's

Well than your best (most secure way) is to use a VACL with vlan maps and permit traffic both ways like matt is saying. If you look at my first post you can see how to do this. Dont worry, Reading to much gets the best of all of us :). Never be afraid to ask questions.

edw
New Member

Re: VLAN ACL's

Hi,

Thanks for the reply - have tried this and it works.

I still don't fully understand why Cisco made such a intense command. I mean 98% of traffic is going to need two entries - one one way and the duplicat in verse the other. Therefore it would have made sense to say add a Return parameter and the command just add it in as part of the same line ??

Thanks


Ed

794
Views
0
Helpful
16
Replies
CreatePlease to create content