10-30-2003 01:49 PM - edited 03-02-2019 11:22 AM
I am trying to write an ACL to protect my network from a test vlan. When I apply the following ACL some parts of the ACL are not working such as DNS and WWW are being blocked even if they are in the permit list. I am applying the ACL outbound on the test vlan. The vlans are on a 3550 which connects to 5500s.
ex.
vlan 3 192.168.20.0/24 (Campus LAN)
vlan 4 192.168.30.0/24 (Test LAN)
ACL test applied outbound on test LAN
ip access-list extended test
permit tcp any host 192.168.20.5 eq 80
permit tcp any host 192.168.20.10 eq 443
permit udp any host 192.168.20.11 eq 1645
permit udp any host 192.168.20.11 eq 1646
permit udp any host 192.168.20.55 eq domain
permit udp any host 192.168.20.55 eq bootpc
permit udp any 192.168.20.66 eq snmp
deny ip any any
Solved! Go to Solution.
10-31-2003 06:02 PM
Your SNMP rule looks like it should work if a host (or hosts) on the Test VLAN is monitoring host 192.168.20.66 via SNMP. But if it's the other way around -- host 192.168.20.66 is monitoring hosts on the Test VLAN via SNMP -- then what you want is:
permit udp any eq snmp host 192.168.20.66
Because if the hosts on the Test VLAN are receiving queries on the SNMP port, then the return traffic, which will have the SNMP port as a *source* rather than a destination, is what will be processed by the ACL.
I don't understand what issue you're having with VLAN 28 (where are you trying to HTTP from?), but the ACL above will only filter traffic coming from the Test VLAN. But note that, as in the SNMP case above, this traffic can be return traffic; i.e., devices in the Test VLAN responding to traffic coming from other VLANs. So you have to keep this in mind when writing ACLs for inter-VLAN traffic, and may have to look into using either Reflexive ACLs or the IOS Firewall feature to help deal with this.
10-30-2003 06:10 PM
You want to apply that ACL inbound on the VLAN interface, since traffic leaving the Test VLAN goes into the Test VLAN interface and out the Campus VLAN interface.
It can be confusing until you draw a picture. VLAN interfaces are the same as real interfaces in this regard.
10-31-2003 06:47 AM
Applying the ACL inbound works all except the SNMP. I've tried using permit udp any any eq snmp with the same results?????
Also this seems to be blocking traffic both ways. In other words I can't http to host in vlan28. Will this require ACLs inbound and outbound to work?
10-31-2003 06:02 PM
Your SNMP rule looks like it should work if a host (or hosts) on the Test VLAN is monitoring host 192.168.20.66 via SNMP. But if it's the other way around -- host 192.168.20.66 is monitoring hosts on the Test VLAN via SNMP -- then what you want is:
permit udp any eq snmp host 192.168.20.66
Because if the hosts on the Test VLAN are receiving queries on the SNMP port, then the return traffic, which will have the SNMP port as a *source* rather than a destination, is what will be processed by the ACL.
I don't understand what issue you're having with VLAN 28 (where are you trying to HTTP from?), but the ACL above will only filter traffic coming from the Test VLAN. But note that, as in the SNMP case above, this traffic can be return traffic; i.e., devices in the Test VLAN responding to traffic coming from other VLANs. So you have to keep this in mind when writing ACLs for inter-VLAN traffic, and may have to look into using either Reflexive ACLs or the IOS Firewall feature to help deal with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide