Re: Cisco Catalyst 4506 - ACL To Deny All IP Traffic Except Http

Digistras · ‎11-15-2010

Hi all,

Currently we are using Cisco Catalyst 4506 and with IOS 12.2

(Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M),
Version 12.2(31)SG, RELEASE SOFTWARE (fc2)

and I have this VLAN named VLAN210 with a IP range of 172.18.212.0 to 172.18.212.255. All clients from this VLAN210 will obtain its IP addressing using DHCP service from a remote DHCP server. After clients successfully obtain its IP adderess, they are only allowed to access the internet but before that, they would need to go through a Juniper UAC Host Checker (a local network device) through http and after they passed the host checker conditions, only then they are allowed to go to the internet and ONLY to the internet. Also they access the internet through a proxy which is in a remote location.

Now my question is:

1. What should be the correct Syntax for the Extended IP ACL to allow VLAN210 (172.18.212.0 to 172.18.212.255) traffic ONLY to use internet (http) and nothing else? Can I deny all other IP traffic to them while allowing only http? As they are external users using their own computers, we won't want them to be pinging, scanning or sweeping for other IP addresses on the network.

2. I would hope that after applying the above ACL, VLAN210 clients would still be able to obtain the IP Addressing from the remote DHCP server.

As I'm rather new to ACLs, I will appreciate any help given. Thanks.

Cheers!!!

Jon Marshall · ‎11-16-2010

DHCP can be added to the acl.

More importantly what exaclty is the traffic flow ?

You say the hosts need to go using http to the UAC.

Is this on the same subnet ?

whether or not it is on the same subnet does the UAC forward on the http request to the proxy or does the UAC simply verify and then allow the client to make it's own http request ?

Basically your acl would be dependant on which device is sending the http request. So the destination address in your acl would either be -

from the clients to the UAC using http, and then the UAC forwards request to proxy

or

from the clients to the proxy server

your acl would look like -

access-list 101 permit udp any any eq bootpc <-- this is for DHCP

access-list 101 permit tcp 172.18.212.0 0.0.0.255 <-- this is dependant on question above

access-list 101 deny ip any any <-- you don't actually need this line because all acls end with an implict deny all but you may want to see how much traffic is dropped from this subnet

int vlans 210

ip access-group 101 in

Note -

1) you mention only one 4500. If you have a pair and are using HSRP between them then you need to allow that in your acl as well

2) the UAC/proxy address cannot be referred to by DNS name without allowing DNS through the acl ie. ny assumptions is that the proxy address is sent to the client or configured on the client with an IP and not a DNS name.

Jon

Digistras · ‎11-17-2010

Hi jon.marshall,

Thanks for you reply. I'll explain how the traffic flows:

1. Client boot up workstation

2. After booting up, client obtain IP addressing through DHCP service from a remote DHCP server using gateway of VLAN210 (172.18.212.1)

3. IP addressing issued to client (for e.g 172.18.212.128) and open web browser (HTTP) using a proxy (proxy.skynet.gov) with a DNS setting of skynet.gov.

4. Next hop is a Juniper Enforcer (a.k.a firewall) with IP address 172.18.221.234 (Enforcer 1 - Master) and 172.18.221.235 (Enforcer 2 - Backup) which have a policy rule stating that the client range of 172.18.212.0 to 172.18.212.255 wanting to contact the proxy (proxy.skynet.gov), the next hop would be the Juniper UAC Host checker (with IP address of 172.18.223.254).

Note: There are 2x physical Junpier Enforcer and only 1x Juniper Host Checker

5. Juniper UAC Host Checker checks client workstation to ensure that minimum requirements are met before allowing client to go to internet

6. Once clients pass the Juniper UAC Host Checker, traffic to the internet is then allowed.

7. Clients surf the internet.

8. End

To answer your questions:

i. The UAC is not on the same subnet however, all routing is done on the Cisco Catalyst 4506 and the UAC and VLAN are all on the 4506 too.

ii. I'm not sure if the Juniper UAC is the one that makes all Http request of VLAN210 (172.18.212.0 to 172.18.212.255) or it will let the client make its on Http request after it passes the host checker.

iii. Yes. I have 2x Cisco Catalyst 4506 and they are connected to each other through HSRP

iv. The proxy (proxy.skynet.gov) is configured on the clients browser.

Note: Is the DNS name of the proxy server, NOT the IP address of the proxy server.

I hope the above provided information is sufficient for you reference to provide me the actual syntax for my requirement. Thanks.

Cheers!!!

Jon Marshall · ‎11-18-2010

ii. I'm not sure if the Juniper UAC is the one that makes all Http request of VLAN210 (172.18.212.0 to 172.18.212.255) or it will let the client make its on Http request after it passes the host checker.

Well you're going to need to know to write the acl.

If you are using HSRP you will need to add that as a permit to the acl between the 2 vlan interface.

If you are referring to a DNS name you need to know how they resolve that ie. if via a DNS server on another subnet you need to allow DNS as well.

Jon

Cisco Catalyst 4506 - ACL To Deny All IP Traffic Except Http Traffic