Re: Off the wall- possible ACL question- deny all service

JasonKtylu · ‎12-15-2019

Ok, this was a first for me, so i am seeking some advice and or assistance. My boss came to me with a unusual request. I worked for quite some time in networking, but its been a few years since i had to do anything in a switch so i have a question for you smart networking folks.

My boss brought me this problem, and im struggling on it, or maybe im just making it to hard?

Anyways, we have 2 devices on a internal network, device A is a high end electrical device used to take images of items on a level like 10000x, anyhow those images need to come off of there and onto a singular computer(Device B). All done with one managed switch in between the 2 devices. Nothing else connected, no internet, nothing.

Easy right?

1. no other data of any kind is allowed on to device A, which means, block all traffic from B to A. No access of any kind.

2. allow images, likely .img, or .jpg dont really know yet, to be exported from A to B

3. device B will be a part of the existing network, so it needs to be able to do everything else as normal, internet, servers, etc.

4. boss is ordering the switch this week, dont have exact model yet, but it will be managed and nothing to fancy since is just going to have those 2 devices connected to it.

5. the pc only has one port, so just wondering am i going to have to connect the existing network to the switch and run separate cable from the switch out to device A, device B, and of course the data drop.

so how would i go about this? or the best way.

my thoughts... 2 acl's lets just say 1 and 100

Switch(config)# access-list 100

(config)# access-list 100 deny host 192.268.1.1 any eq www

Switch(config)# access-list 1

Switch(config)# access-list 1 permit 192.168.2.1

1 get traffic, one does not,well that wont work either, this is going to have to be done for each of the 3 ports right?

so lets says we have eth0/1, eth0/2, eth0/3

Port 1, that can be internet coming into the switch from the network

Port2, cable from device b, which needs internet access, and is the host for the images coming off of device B

Port 3, cable from device B, no inbound traffic of any kind allowed, but able to send out images to device B from A

better to do this by mac? what should the config look like? im likely making this harder than it should be, but it really has been quite some time.

Francesco Molino · ‎12-15-2019

Hi

The layer 3 acls needs to be applied in your SVIs.

Reading your different scenarios, i believe private vlan should help you out in achieving your goals.

However, I'm having hard time to understand them all.

Your server is A and client B.
Just to summarize:
- B can access A and internet
- A can access only B
Am I right?
Then you talked about specific traffic like images and/or protocols.
Do you want to filter the protocol being used from A to B and also limit the transfer to images only?

Are B and A in the same vlan? And what about internet vlan?
At the end of the post, i maybe misinterpreted it, but you're talking about a switch with 3 ports being used which led me to the conclusion that you would have all these 3 devices in the same vlan.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JasonKtylu · ‎12-16-2019

Ok, let me try and clarify this as much as possible.

Three devices,

1. device A or microscope

2. device B computer

3. device C the switch we are ordering

Now,the switch will have to be a managed level 3, if i am not mistaken. Just because i dont think on the port level i can control the traffic other than the multicast option.

The attached drawing, should help with the traffic arrows on what i am trying to get done.

couple of key things...

1. the microscope needs completely isolate from the rest of the network

2. hence, the reason to put a switch in between it and the computer it will talk too

3. no traffic is allowed from the computer or the internet to the microscope-

4. the microscope will send images from it to the computer attached via the switch

5. remember, i just have to isolate the microscope so nothing can get to it

6. the microscope needs to be able to send .img or .jpeg files to the computer attached

7. since the computer only has one eth port, i am figuring the switch/managed is the best solution to isolate the microscope from the internet

8. im open to other suggestions

9. its been a very long time, i can get a config into a new switch, im just extremely rusty on everything else

10. this should not be very complicated right? all i want to do is let full traffic to one device in a switch, and only out bound from microscope to the switch and then on to the pc with its image files

hopefully my little diagram helps

p.s. i do not have the switch model, we haven not placed a order yet, i am convinced from previous knowledge it needs to be a layer 3 switch as stated before

thanks for advise here :/

Francesco Molino · ‎12-18-2019

Private vlan could answer your needs. However, with a switch it will need very difficult to allow only images exchange.
If you have L3 switch, you can place all devices (microscope and pc) un different vlan and use acl with reflexive feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JasonKtylu · ‎12-19-2019

I actually am in the middle of getting a layer 3 for just that reason. I am trying to remember everything else I am going to need in here though, so while I have the basic outline. The rest of the config for the data port, and the two used ports for devices, computer and the microscope and limiting their traffic to what we want to allow, as you side with a vlan most likely.

Francesco Molino · ‎12-20-2019

If you're getting a Cisco catalyst layer 3 switch, you'll be able to handle any design you choose.
However, limiting only images traffic won't be possible.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question