07-26-2006 12:39 PM - edited 03-03-2019 04:14 AM
I have a stacked 3750 with 3 VLAN's. VLAN1 for management, VLAN 2 for the production network and VLAN 3 for test. I need to restrict HTTP from VLAN 3 to a few hosts in VLAN2. I've attached the configuration I am using. This does not seem to work. Any ideas on what I am doing wrong.
Solved! Go to Solution.
07-27-2006 11:23 AM
Clyde
OK. With this understanding of your requirements I suggest this access list. Assuming that all clients in VLAN 3 (10.1.3.0) need access to a few servers in VLAN 2 and to no other resources in VLAN 2. Assume that the servers are 10.1.2.5, 10.1.2.11, and 10.1.2.33.
ip access-list extended block-www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.5 eq www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.11 eq www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.33 eq www
deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
interface vlan 3
ip access-group block-www in
This will allow any device in vlan 3 to access the 3 servers in vlan 2 for HTTP and will not allow vlan 3 to access anything else. It is not clear in your requirements whether VLAN 3 should access anything in the management VLAN (VLAN 1) or should be able to access anything outside. If there should be that access then you would need to add some appropriate permit statements at the bottom of the access list.
Also note that this will not allow anything like DNS access from VLAN 3 if the DNS server is in VLAN 2. That was not part of the stated requirement but I wonder if it will be needed.
HTH
Rick
07-26-2006 12:59 PM
I think you need to apply the ACL to the ports in vlan 3 instead of interface vlan3. For example:
int fe xx
ip access-group 100 in
On 3750 int vlan is a virtual interface. There's no in/out differentiation on it.
Let me know how it works out for you.
Gary
07-26-2006 09:58 PM
Hi,
Have you configured the ACL on the stack-master switch??? Moreover it would be better to apply the ACL on the Layer 2 interface which is a member of the VLAN, rather than applying an ACL over the layer 3 VLAN interface.
Although the ACL seems fine to me.
Refer the following link, it might be of some help.
Hope this helps.
Regards,
AbhisheK
Please rate all posts!!!
07-27-2006 01:53 AM
Thanks. The ACL is presently configured on the stack master. Applying the ACL to L2 interfaces may not be possible since all the L2 interfaces that belonmg to the VLAN 3 are on either 3550 or 3524 switches. The 3750 stack is used as a "core" to hook up all the others.
07-27-2006 03:46 AM
Clyde,
Do u see hitcounts on your access-list when you try to access HTTP
Narayan
07-27-2006 03:50 AM
Can you try with VLAN Maps and see if it works
07-27-2006 08:25 AM
As per your suggestion I tried VLAN maps and it did not work. Then again I am not too familiar with this feature and I may have messed up. Here is the config I tried.
conf t
ip access-list extended 100
permit tcp 10.1.2.0 255.255.255.0 eq www host 10.1.3.3
permit tcp 10.1.2.0 255.255.255.0 eq www host 10.1.3.4
deny tcp 10.1.2.0 255.255.255.0 eq www any
permit tcp any any
exit
ip access-list extended 101
permit ip any any
exit
vlan access-map maphttp 10
match ip address 100
action drop
exit
vlan access-map maphttp 20
match ip address 101
action forward
exit
vlan filter maphttp vlan 2
end
I applied it to both VLAN 3 and VLAN 2
07-27-2006 04:54 AM
No I don't see any hit counts. It possibly does not work due to the fact that I've applied it to the VLAN instead of to the physical port(as suggested by two other posts)
07-27-2006 05:00 AM
Clyde
There are a couple of things that I would like to clarify about your situation. You mention restricting HTTP from VLAN 3 to a few hosts in VLAN 2. You have not been clear what the IP addressing scheme is. Your access list implies that the specific hosts are in subnet 10.1.3.0. Is that correct? Is VLAN 2 10.1.3.0 and is VLAN 3 10.1.2.0?
I think that there is an issue with the placement of the access list. While you certainly can make it work to put the access list outbound on VLAN 3 I think it would be better if the access list was applied inbound on VLAN 3 or was applied outbound on VLAN 2. Your placement of the access list will forward the traffic from VLAN 3 to the server on VLAN 2 and will filter the response as it is sent back to VLAN 3. That is less efficient than filtering it on the way out of VLAN 3 or filtering it on the way into VLAN 2 (either of these will prevent the packets from getting to the server where your placement will prevent the response from getting to the host).
Given the way that the access list is applied there is also a problem with the identification of the ports. Your access list specifies www as the destination port. But the way that you have applied the access list www should be the source port rather than the destination port.
If you change the access list to be inbound on VLAN 3 it should work. Or if you change the access list so that www is the source port instead of the destination port it should work.
HTH
Rick
07-27-2006 06:17 AM
Rick
VLAN2 is 10.2.2.0 and VLAN3 is 10.1.30
I've tried this access list inbound and outbound on both VLAN 3 and VLAN2 with no success.
As per your suggestion I also tried specifying www as the source port with the same result.
Any other suggestions.
Clyde
07-27-2006 08:04 AM
Clyde,
Since you are not getting any hitcounts on the access-list, try checking by debugging the traffic.
debug ip packet 100 detail.
ALso let us know the tests carried out.
Narayan
07-27-2006 09:20 AM
Tried it still nothing. I applied the access -group both inbound and outbound to both VLAN 2 and VLAN 3 and do not see any relevant hits on the access list. The only hits I get are on the permit at the end of the ACL
permit tcp any any log (95 matches)
and these are from a server at some other site on the WAN trying to access some non-existent device.
The tests carried out are browsing to 10.1.3.3, 10.1.3.4 (which should succeed) and 10.1.3.5 and 10.1.3.6 (which should fail).Thanks for your help
Clyde
07-27-2006 08:56 AM
Clyde
I suggest that you try this access list:
ip access-list extended block-www
permit tcp host 10.1.3.3 10.1.2.0 0.0.0.255 eq www
permit tcp host 10.1.3.4 10.1.2.0 0.0.0.255 eq www
deny tcp 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www
permit ip any any
interface vlan3
ip access-group block-www in
note that this will affect HTTP but not HTTPS
Try this and let us know how it does.
{edit} as I submit this I re-read the original post and I am not sure that I correctly understand your requirements. The original post says that you want to restrict HTTP from VLAN 3 to a few hosts in VLAN 2. Are you saying restrict a few clients in VLAN 3 from accessing servers anywhere in VLAN 2 (which is what the access list does) or are you intending something different - is it all clients in VLAN 3 to a few servers in VLAN 2 or is it clients in VLAN 2 to servers in VLAN 3? If you will clarify the requirements then we can get the right access list.
HTH
Rick
07-27-2006 09:35 AM
Rick
I need to allow all clients in VLAN 3 HTTP access to some servers in VLAN 2 and deny them from accessing all the other servers on VLAN 2.
VLAN 3 is 10.1.3.0 and VLAN 2 is 10.1.2.0
TIA
Clyde
07-27-2006 11:23 AM
Clyde
OK. With this understanding of your requirements I suggest this access list. Assuming that all clients in VLAN 3 (10.1.3.0) need access to a few servers in VLAN 2 and to no other resources in VLAN 2. Assume that the servers are 10.1.2.5, 10.1.2.11, and 10.1.2.33.
ip access-list extended block-www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.5 eq www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.11 eq www
permit tcp 10.1.3.0 0.0.0.255 host 10.1.2.33 eq www
deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
interface vlan 3
ip access-group block-www in
This will allow any device in vlan 3 to access the 3 servers in vlan 2 for HTTP and will not allow vlan 3 to access anything else. It is not clear in your requirements whether VLAN 3 should access anything in the management VLAN (VLAN 1) or should be able to access anything outside. If there should be that access then you would need to add some appropriate permit statements at the bottom of the access list.
Also note that this will not allow anything like DNS access from VLAN 3 if the DNS server is in VLAN 2. That was not part of the stated requirement but I wonder if it will be needed.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: