Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1537
Views
0
Helpful
2
Replies

3560 ACL issues

stacey.hummer
Level 1
Level 1

‎08-14-2012 07:41 AM - edited ‎02-20-2020 09:42 PM

Good day all,

Hopefully this is the right forum to ask my question?

Here it goes,

I have a 3560 switch attached to a 1941 router. The router does not below to us but is used for another organization to have access to our network. There is a static internal IP address that we have provided to this organization to allow access to our network. Unfortunately we are seeing ip address that are internal to their network coming into our network. I know the first thing would be to talk to the organization and get the to fix this issue, unfortunately they don't see this as an issue. Do to the nature of the connection (must be connected) I cannot just pull the plug. So my next best idea was to put in place a ACL only allow access into our network from the specific ip address we gave them. That way they would be forced to NAT their ip's into our network. The acl I put in place is fairly simple.

access-list 101 permit ip 10.2.0.60 0.0.0.0 any log

The connection to the router is through G0/18, so I place the access-group 101 in on that port. I then have an IDS system that captures all traffic on the network through port spanning. I am still seeing the traffic from their internal network 192.168.4.0/24.

I'm not sure why the ACL isn't preventing other traffic from coming into our network through their router?

Any help would be great.

Thanks

Stacey

Labels:
0 Helpful
2 Replies 2

nkarthikeyan
Level 7
Level 7

‎08-18-2012 06:38 AM

Hi Stacey,

Please have an access-list like the below.

access-list 101 permit ip host 10.2.0.60 any

access-list 101 deny ip any any

!

int gig 0/18

ip access-group 101 in

!

This should work when you have the routed interface. If you have the VLAN's configured for the router connecting interface. Then you may need to have the VLAN ACL to achieve this.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-25-2012 03:36 AM

Hi There Stacey

How are you doing today? Before I begin, I'm assuming you've the sdm template routing enabled in your Cisco Catalyst 3560 http://www.booches.nl/2008/06/policy-based-routing-catalyst-3560/

What I would suggest you to do is to configure port based ACL in your Cisco Catalyst 3560. In your interface GigabitEthernet 0/8, you can configure ACLs as shown below;

!

vlan 20

name VLAN0020

!

interface Vlan20

ip address 10.2.0.254 255.255.255.0

!

int GigabitEthernet 0/8

description ### Link to Cisco ISR 1941 Router FE0/1 ###

switchport mode access

switchport access vlan 20

ip access-group 100 in

!

access-list remark ### To allow only 10.2.0.60/32 to access into internal LAN ###

access-list 100 permit ip host 10.2.0.60 any

access-list 100 deny ip any any log

!

Even though my solution works for you, this really isn't good enough based on Cisco SAFE's best practises and guidelines. You'll need to enable other Cisco technologies in your Cisco Catalyst 3560 such as storm-control, QOS (Policing, NOT Shaping and NOT Prioritization) etc. as well. This is to ensure and limit the possibility of DOS/DDOS attack coming from devices that belongs to the "other" organization (NAT-ted as IP 10.2.0.60/32) to your internal servers/resources. After all, I bet you've no clue how secure is their LAN, am I right?

The above-mentioned solution is something that I would like to call merely, a workaround. The "best" solution here is to place a Cisco FW (running in transparent mode) sitting right smack in between both the Cisco ISR 1941 Router and the Cisco Catalyst 3560 Switch. In your Cisco FW, you could then include other service modules e.g. AIP-SSM, CSC-SSM to further protect your LAN from the "other" organization.

Last but not least, you might wanna capture a network performance benchmark between the LAN from the "other" organization to your LAN i.e. 10.2.0.0/24 using tools such a iPerf (Freeware), assuming you don’t have one. This is because, it will come a time, when LAN users from the "other" organization will complain that accessing the network resources situated in your LAN is “slow”. To troubleshoot this isn't gonna be easy as slowness could be due to many reasons e.g. their LAN, the WAN Link, your LAN, the servers itself etc. Get this network performance benchmark done immediately, so that you can rule out your LAN being the culprit should such complains come in, the near future. Mind you, it will come, I know :-)

P/S: If you think this comment is useful, please do rate it nicely :-)     

Warm regards,
Ramraj Sivagnanam Sivajanam
Preview file
29 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents