Solved: Re: IP Access lists on a 3750

clydeds · ‎07-26-2006

I have a stacked 3750 with 3 VLAN's. VLAN1 for management, VLAN 2 for the production network and VLAN 3 for test. I need to restrict HTTP from VLAN 3 to a few hosts in VLAN2. I've attached the configuration I am using. This does not seem to work. Any ideas on what I am doing wrong.

Richard Burts · ‎07-27-2006

Clyde

OK. With this understanding of your requirements I suggest this access list. Assuming that all clients in VLAN 3 (10.1.3.0) need access to a few servers in VLAN 2 and to no other resources in VLAN 2. Assume that the servers are 10.1.2.5, 10.1.2.11, and 10.1.2.33.

ip access-list extended block-www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.5 eq www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.11 eq www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.33 eq www

deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

interface vlan 3

ip access-group block-www in

This will allow any device in vlan 3 to access the 3 servers in vlan 2 for HTTP and will not allow vlan 3 to access anything else. It is not clear in your requirements whether VLAN 3 should access anything in the management VLAN (VLAN 1) or should be able to access anything outside. If there should be that access then you would need to add some appropriate permit statements at the bottom of the access list.

Also note that this will not allow anything like DNS access from VLAN 3 if the DNS server is in VLAN 2. That was not part of the stated requirement but I wonder if it will be needed.

HTH

Rick

HTH

Rick

View solution in original post

gwhuang5398 · ‎07-26-2006

I think you need to apply the ACL to the ports in vlan 3 instead of interface vlan3. For example:

int fe xx

ip access-group 100 in

On 3750 int vlan is a virtual interface. There's no in/out differentiation on it.

Let me know how it works out for you.

Gary

abhishek_nandavat · ‎07-26-2006

Hi,

Have you configured the ACL on the stack-master switch??? Moreover it would be better to apply the ACL on the Layer 2 interface which is a member of the VLAN, rather than applying an ACL over the layer 3 VLAN interface.

Although the ACL seems fine to me.

Refer the following link, it might be of some help.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805023ee.html#wp1098864

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

clydeds · ‎07-27-2006

Thanks. The ACL is presently configured on the stack master. Applying the ACL to L2 interfaces may not be possible since all the L2 interfaces that belonmg to the VLAN 3 are on either 3550 or 3524 switches. The 3750 stack is used as a "core" to hook up all the others.

royalblues · ‎07-27-2006

Clyde,

Do u see hitcounts on your access-list when you try to access HTTP

Narayan

attrgautam · ‎07-27-2006

Can you try with VLAN Maps and see if it works

clydeds · ‎07-27-2006

As per your suggestion I tried VLAN maps and it did not work. Then again I am not too familiar with this feature and I may have messed up. Here is the config I tried.

conf t

ip access-list extended 100

permit tcp 10.1.2.0 255.255.255.0 eq www host 10.1.3.3

permit tcp 10.1.2.0 255.255.255.0 eq www host 10.1.3.4

deny tcp 10.1.2.0 255.255.255.0 eq www any

permit tcp any any

exit

ip access-list extended 101

permit ip any any

exit

vlan access-map maphttp 10

match ip address 100

action drop

exit

vlan access-map maphttp 20

match ip address 101

action forward

exit

vlan filter maphttp vlan 2

end

I applied it to both VLAN 3 and VLAN 2

clydeds · ‎07-27-2006

No I don't see any hit counts. It possibly does not work due to the fact that I've applied it to the VLAN instead of to the physical port(as suggested by two other posts)

Richard Burts · ‎07-27-2006

Clyde

There are a couple of things that I would like to clarify about your situation. You mention restricting HTTP from VLAN 3 to a few hosts in VLAN 2. You have not been clear what the IP addressing scheme is. Your access list implies that the specific hosts are in subnet 10.1.3.0. Is that correct? Is VLAN 2 10.1.3.0 and is VLAN 3 10.1.2.0?

I think that there is an issue with the placement of the access list. While you certainly can make it work to put the access list outbound on VLAN 3 I think it would be better if the access list was applied inbound on VLAN 3 or was applied outbound on VLAN 2. Your placement of the access list will forward the traffic from VLAN 3 to the server on VLAN 2 and will filter the response as it is sent back to VLAN 3. That is less efficient than filtering it on the way out of VLAN 3 or filtering it on the way into VLAN 2 (either of these will prevent the packets from getting to the server where your placement will prevent the response from getting to the host).

Given the way that the access list is applied there is also a problem with the identification of the ports. Your access list specifies www as the destination port. But the way that you have applied the access list www should be the source port rather than the destination port.

If you change the access list to be inbound on VLAN 3 it should work. Or if you change the access list so that www is the source port instead of the destination port it should work.

HTH

Rick

HTH

Rick

clydeds · ‎07-27-2006

Rick

VLAN2 is 10.2.2.0 and VLAN3 is 10.1.30

I've tried this access list inbound and outbound on both VLAN 3 and VLAN2 with no success.

As per your suggestion I also tried specifying www as the source port with the same result.

Any other suggestions.

Clyde

royalblues · ‎07-27-2006

Clyde,

Since you are not getting any hitcounts on the access-list, try checking by debugging the traffic.

debug ip packet 100 detail.

ALso let us know the tests carried out.

Narayan

clydeds · ‎07-27-2006

Tried it still nothing. I applied the access -group both inbound and outbound to both VLAN 2 and VLAN 3 and do not see any relevant hits on the access list. The only hits I get are on the permit at the end of the ACL

permit tcp any any log (95 matches)

and these are from a server at some other site on the WAN trying to access some non-existent device.

The tests carried out are browsing to 10.1.3.3, 10.1.3.4 (which should succeed) and 10.1.3.5 and 10.1.3.6 (which should fail).Thanks for your help

Clyde

Richard Burts · ‎07-27-2006

Clyde

I suggest that you try this access list:

ip access-list extended block-www

permit tcp host 10.1.3.3 10.1.2.0 0.0.0.255 eq www

permit tcp host 10.1.3.4 10.1.2.0 0.0.0.255 eq www

deny tcp 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www

permit ip any any

interface vlan3

ip access-group block-www in

note that this will affect HTTP but not HTTPS

Try this and let us know how it does.

{edit} as I submit this I re-read the original post and I am not sure that I correctly understand your requirements. The original post says that you want to restrict HTTP from VLAN 3 to a few hosts in VLAN 2. Are you saying restrict a few clients in VLAN 3 from accessing servers anywhere in VLAN 2 (which is what the access list does) or are you intending something different - is it all clients in VLAN 3 to a few servers in VLAN 2 or is it clients in VLAN 2 to servers in VLAN 3? If you will clarify the requirements then we can get the right access list.

HTH

Rick

HTH

Rick

clydeds · ‎07-27-2006

Rick

I need to allow all clients in VLAN 3 HTTP access to some servers in VLAN 2 and deny them from accessing all the other servers on VLAN 2.

VLAN 3 is 10.1.3.0 and VLAN 2 is 10.1.2.0

TIA

Clyde

Richard Burts · ‎07-27-2006

Clyde

OK. With this understanding of your requirements I suggest this access list. Assuming that all clients in VLAN 3 (10.1.3.0) need access to a few servers in VLAN 2 and to no other resources in VLAN 2. Assume that the servers are 10.1.2.5, 10.1.2.11, and 10.1.2.33.

ip access-list extended block-www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.5 eq www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.11 eq www

permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.33 eq www

deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

interface vlan 3

ip access-group block-www in

This will allow any device in vlan 3 to access the 3 servers in vlan 2 for HTTP and will not allow vlan 3 to access anything else. It is not clear in your requirements whether VLAN 3 should access anything in the management VLAN (VLAN 1) or should be able to access anything outside. If there should be that access then you would need to add some appropriate permit statements at the bottom of the access list.

Also note that this will not allow anything like DNS access from VLAN 3 if the DNS server is in VLAN 2. That was not part of the stated requirement but I wonder if it will be needed.

HTH

Rick

HTH

Rick