Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
2
Helpful
7
Replies

Help with a Port ACL to allow only Internet Access

Matthew Martin
Level 5
Level 5

‎04-29-2024 09:55 AM

Hello All,

We've recently had an outside company come in and install their networking gear inside one of our buildings for all the LAN traffic. But, we still have our own core switch in place where their gear terminates to. Their network switches terminate into 4 ports on our 9500.

There's 2 subnets, which used to be Vlan interfaces on the 9500, which have since moved those gateway addresses over to the 3rd party gear, so those old Vlan interfaces are shutdown. Now, all the traffic from their gear flows into our 9500 and then we route it where it needs to go.

So I created an ACL and placed it on the 4 uplink interfaces where their gear connects to ours. There's 2 subnets that we want segregated and to be allowed Internet ONLY access. Those 2 subnets are 10.5.208.0/24 and 10.5.207.0/24.

 

!
ip access-list extended BYOD-ACL
 10 deny   ip 10.5.208.0 0.0.0.255  10.0.0.0 0.255.255.255
 20 deny   ip 10.5.208.0 0.0.0.255  192.168.0.0 0.0.255.255
 20 deny   ip 10.5.208.0 0.0.0.255  172.0.0.0 0.255.255.255
 30 deny   ip 10.5.207.0 0.0.0.255  10.0.0.0 0.255.255.255
 40 deny   ip 10.5.207.0 0.0.0.255  192.168.0.0 0.0.255.255
 60 deny   ip 10.5.207.0 0.0.0.255  172.0.0.0 0.255.255.255
 70 permit ip any any
!
!
interface TwentyFiveGigE1/0/11
 description LAN Switching - 10.5.254.1
 no switchport
 ip address 10.5.254.1 255.255.255.252
 ip access-group BYOD-ACL in
!
interface TwentyFiveGigE1/0/12
 description LAN Switching - 10.5.254.9
 no switchport
 ip address 10.5.254.9 255.255.255.252
 ip access-group BYOD-ACL in
!
interface TwentyFiveGigE2/0/11
 description LAN Switching - 10.5.254.5
 no switchport
 ip address 10.5.254.5 255.255.255.252
 ip access-group BYOD-ACL in
 no keepalive
!
interface TwentyFiveGigE2/0/12
 description LAN Switching - 10.5.254.13
 no switchport
 ip address 10.5.254.13 255.255.255.252
 ip access-group BYOD-ACL in
 no keepalive
!

 

I must be missing something because clients connected to the BYOD Wi-Fi on the 10.5.208.0/24 subnet have no Internet access.

Any help would be greatly appreciated.

-Matt

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎04-29-2024 10:22 AM 

BYOD Wi-Fi on the 10.5.208.0/24 subnet have no Internet access.

how is your network diagram looks like , you show only the configuration of the switch, but do you have internet router or firewall take care of Natiing towards to ISP ?

have you added this block ?

do you have routing for that subnet how to reach back to WLC controller for the Wifi ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Matthew Martin
Level 5
Level 5

‎04-29-2024 10:38 AM

Hey BB, thanks for the reply.

So I don't have anything official for the diagram. But, I can try and quickly make something to help visualize it...

The 208 and 207 subnets have always been existing subnets within our network and we were previously controlling the client access via dACLs pushed out from Cisco ISE. But, we no longer have ISE in place and the company we are using that does the bulk of the LAN switching does not support dACLs.

My first instinct would have been to put the ACL on the Vlan interfaces configured on the 9500 Core Switch. However, when this company put in their switches. They became the gateway address for the 208 and 207 subnets as well as a few others. So I simply shutdown those SVI interfaces. Everything was working fine, except clients on 208 and 207 can reach internal resources, which we do not want.

We do have an FTD in place in this location. But currently it's only serving as a Failover location for our website. So all Internet traffic flows out our SD-WAN provider's router, which also acts as a Firewall as far as I know.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Matthew Martin

‎04-29-2024 10:45 AM

thank you, but still i am looking how they connected and arragments - when you mentioned SVI Move ?

You said it all working you want to move to Cat 9500 right ?

but you mentioned what is BYOD Wifi - and you mentioned -when this company put in their switches.

if they connecting the switch to your Cat 9K switch, are they connected layer 2 or layer 3 ?

i do not see any SVI created on Cat 9K switch, what gateway they use for these subnet 10.5.208.0/24 and 10.5.207.0/24 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Matthew Martin
Level 5
Level 5

‎04-29-2024 10:45 AM

As I was submitting my last comment, I think I figured out the problem...

When I was Google'ing around. I noticed similar BYOD/Guest internet ACLs including implicit permits for DNS... And not really realizing it when I first created the ACLs, was that the clients are still using our internal DNS servers.

So I added sequence 1 to the ACL below and they just reported back that Internet is now accessible. Now, I'm assuming that if someone on that network would have tried to ping 8.8.8.8 for example, it would have worked. But, they wouldn't have been able to resolve google.com in order to actually get there. So their phones and tablets were like, NOPE, no Internet Access found.

ip access-list extended BYOD-ACL
 1 permit udp any any eq domain
 10 deny   ip 10.5.208.0 0.0.0.255 10.0.0.0 0.255.255.255
 20 deny   ip 10.5.208.0 0.0.0.255 192.168.0.0 0.0.255.255
 21 deny   ip 10.5.208.0 0.0.0.255 172.0.0.0 0.255.255.255
 30 deny   ip 10.5.207.0 0.0.0.255 10.0.0.0 0.255.255.255
 40 deny   ip 10.5.207.0 0.0.0.255 192.168.0.0 0.0.255.255
 60 deny   ip 10.5.207.0 0.0.0.255 172.0.0.0 0.255.255.255
 70 permit ip any any

Also, do you think the original ACL would have worked if those DHCP pools were configured to use 8.8.8.8 and 8.8.4.4 as DNS servers? Just curious...

 -Matt

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Matthew Martin

‎04-29-2024 10:51 AM

because i do not whole picture of your network, i go by your informationonly.

For testing what Gateway they usine remove ACL in and test, that confirms you either ACL issue or some other issue ?

I have not seen your DHCP server - what gateway and DNS they using.

You should also allow required port for DHCP, DNS, ICMP, NTP so on default protocols to allow 

Once all working you can look at the logs and close what not required, rather blocking all.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP
VIP
In response to Matthew Martin

‎04-29-2024 10:55 AM

@Matthew Martin if the DHCP pools were assigning the google DNS servers, then traffic would have match the permit ip any any rule and been allowed. You'd probably need to allow DHCP in your ACL aswell.

IMO, I would use Cisco Umbrella or Quad9 DNS resolvers, they will block threats such as malware, phishing, spyware, and botnets etc, this will provide better security than the Google DNS servers.

Matthew Martin
Level 5
Level 5

‎04-29-2024 11:10 AM

Thanks Rob. Got it, thanks for the info.

I think we're going to just continue using our internal DNS servers for now... Was just using Google as an example. But, if we do end up using some non-internal DNS servers, I'll check out that info you supplied. Thanks again!

BB,
Understood on the allowing of the other protocols you mentioned. I think we are ok on the DHCP front, as the company handling the LAN switching is currently their DHCP server, and all of that would happen before it hits any of the ports on our 9500 switch.

Thanks for the help. Very much appreciated!

-Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card