Solved: Re: ACL and vlans some permit statements not working.....

randyclark · ‎10-30-2003

I am trying to write an ACL to protect my network from a test vlan. When I apply the following ACL some parts of the ACL are not working such as DNS and WWW are being blocked even if they are in the permit list. I am applying the ACL outbound on the test vlan. The vlans are on a 3550 which connects to 5500s.

ex.

vlan 3 192.168.20.0/24 (Campus LAN)

vlan 4 192.168.30.0/24 (Test LAN)

ACL test applied outbound on test LAN

ip access-list extended test

permit tcp any host 192.168.20.5 eq 80

permit tcp any host 192.168.20.10 eq 443

permit udp any host 192.168.20.11 eq 1645

permit udp any host 192.168.20.11 eq 1646

permit udp any host 192.168.20.55 eq domain

permit udp any host 192.168.20.55 eq bootpc

permit udp any 192.168.20.66 eq snmp

deny ip any any

tbaranski · ‎10-31-2003

Your SNMP rule looks like it should work if a host (or hosts) on the Test VLAN is monitoring host 192.168.20.66 via SNMP. But if it's the other way around -- host 192.168.20.66 is monitoring hosts on the Test VLAN via SNMP -- then what you want is:

permit udp any eq snmp host 192.168.20.66

Because if the hosts on the Test VLAN are receiving queries on the SNMP port, then the return traffic, which will have the SNMP port as a *source* rather than a destination, is what will be processed by the ACL.

I don't understand what issue you're having with VLAN 28 (where are you trying to HTTP from?), but the ACL above will only filter traffic coming from the Test VLAN. But note that, as in the SNMP case above, this traffic can be return traffic; i.e., devices in the Test VLAN responding to traffic coming from other VLANs. So you have to keep this in mind when writing ACLs for inter-VLAN traffic, and may have to look into using either Reflexive ACLs or the IOS Firewall feature to help deal with this.

View solution in original post

tbaranski · ‎10-30-2003

You want to apply that ACL inbound on the VLAN interface, since traffic leaving the Test VLAN goes into the Test VLAN interface and out the Campus VLAN interface.

It can be confusing until you draw a picture. VLAN interfaces are the same as real interfaces in this regard.

randyclark · ‎10-31-2003

Applying the ACL inbound works all except the SNMP. I've tried using permit udp any any eq snmp with the same results?????

Also this seems to be blocking traffic both ways. In other words I can't http to host in vlan28. Will this require ACLs inbound and outbound to work?

tbaranski · ‎10-31-2003

Your SNMP rule looks like it should work if a host (or hosts) on the Test VLAN is monitoring host 192.168.20.66 via SNMP. But if it's the other way around -- host 192.168.20.66 is monitoring hosts on the Test VLAN via SNMP -- then what you want is:

permit udp any eq snmp host 192.168.20.66

Because if the hosts on the Test VLAN are receiving queries on the SNMP port, then the return traffic, which will have the SNMP port as a *source* rather than a destination, is what will be processed by the ACL.

I don't understand what issue you're having with VLAN 28 (where are you trying to HTTP from?), but the ACL above will only filter traffic coming from the Test VLAN. But note that, as in the SNMP case above, this traffic can be return traffic; i.e., devices in the Test VLAN responding to traffic coming from other VLANs. So you have to keep this in mind when writing ACLs for inter-VLAN traffic, and may have to look into using either Reflexive ACLs or the IOS Firewall feature to help deal with this.