Hi Rick and George,

In danger of getting very confused here! Ins - Outs - Shake it all about...

Objective:

Vlan1 10.10.1.0 - dhcp - access vlan1, 2 and 3 and internet gateway

Vlan2 10.10.2.0 - dhcp - access vlan2 only

Vlan3 10.10.3.0  - no dhcp - access vlan3 and internet gateway

internet gateway is 10.10.99.3 (vlan 99)

understanding the workings of the ACL:

ACL "in" for Vlan1  refers to hosts on the 10.10.1.0 subnet establishing connection to hosts on other vlans

ACL "out" for Vlan1  refers to other vlans hosts establishing connection to hosts on the 10.10.1.0 subnet

so "in" means INSIDE rules and "out" means OUTSIDE rules (rather than going in and going out)

Correct?

This explains my error and the blocking of traffic! IIRC this is the "opposite" to iptables where there are INPUT and OUTPUT chains...

Anyway it means that my original config needs reversing...

It also sounds like I have not considered internet traffic... I need to add an allow to the internet gateway in vlan1 and 3's in ACLs - correct?

I'll rewrite and post for comments...

(edit - here's the reworked config)

interface Vlan1
ip address 10.10.1.1 255.255.255.0
ip access-group ACLVLAN1IN in
ip access-group ACLVLAN1OUT out
!
interface Vlan2
ip address 10.10.2.1 255.255.255.0
ip access-group ACLVLAN2IN in
ip access-group ACLVLAN2OUT out
!
interface Vlan3
ip address 10.10.3.1 255.255.255.0
ip access-group ACLVLAN3IN in
ip access-group ACLVLAN3OUT out
!
ip default-gateway 10.10.98.3
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.98.3
!
ip access-list extended ACLVLAN1IN
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 10.10.99.3 0.0.0.0
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN1OUT
permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN2IN
permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN2OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN3IN
permit tcp any any established
permit ip 10.10.3.0 0.0.0.255 10.10.99.3 0.0.0.0
ip access-list extended ACLVLAN3OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255

Thanks,

MPA

Here's the reworked config...

interface Vlan1
ip address 10.10.1.1 255.255.255.0
ip access-group ACLVLAN1IN in
ip access-group ACLVLAN1OUT out
!
interface Vlan2
ip address 10.10.2.1 255.255.255.0
ip access-group ACLVLAN2IN in
ip access-group ACLVLAN2OUT out
!
interface Vlan3
ip address 10.10.3.1 255.255.255.0
ip access-group ACLVLAN3IN in
ip access-group ACLVLAN3OUT out
!
ip default-gateway 10.10.98.3
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.98.3
!
ip access-list extended ACLVLAN1IN
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 10.10.99.3 0.0.0.0
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN1OUT
permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN2IN
permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN2OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN3IN
permit tcp any any established
permit ip 10.10.3.0 0.0.0.255 10.10.99.3 0.0.0.0
ip access-list extended ACLVLAN3OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255

Thanks

MPA

MPA

It does get a bit complicated. Your revised config still have issues that need to be resolved. First let me identify some specific issues in the reworked ACLs and then I would like to suggest a somewhat different way to approach config of the ACLs.

- the in acl for vlan 1does permit hosts in vlan 1 to go to vlan 2, 3, and 99. But it does not mention any other destinations. Remembering the implied deny ip any any at the end of the acl this means that any traffic to outside will be denied.

- the in acl for vlan 2 does not have a permit to go to either vlan 1, vlan 99, or outside. Remembering the implied deny ip any any means to traffic for those destinations will be denied.

- the out acl for vlan 1 permits tcp established and DHCP but not anything else. So any traffic from vlan 2, vlan 3, vlan 99, or outside will not be permitted.  

Here are a couple of suggestions of different ways to think about using the ACLs.

- do you really need an in and an out on each interface? If you have prevented vlan 2 communicating to vlan 3 with an in ACL for vlan 2 do you really need to have it denied with an out ACL for vlan 3? Is it sufficient to have an in ACL for each vlan?

- if you want to permit some specific inter vlan traffic, and want to deny other specific  inter vlan traffic, and then want to permit traffic to outside could you achieve this by beginning your ACL with a deny for the specific inter vlan traffic that you do not want to occur and then have a permit ip any any?

HTH

Rick

Hi Rick,

So you're stating that I've done ACL-overkill and should select either the in or out to secure and that I may have got the rule wrong for "internet traffic"

However "the out acl for vlan 1 permits tcp established and DHCP but not anything else. So any traffic from vlan 2, vlan 3, vlan 99, or outside will not be permitted. " - I think that you have described the desired effect - no vlan can establish comms with vlan1 but vlan1 can establish comms with the others.

In order to secure the internet gateway - ie permit & deny vlans internat access - have I to secure the gateway IP or the destination address - I have added Vlan98 - the vlan on which the gateway host resides - have I got the ACLs right now?

Here's the (re)reworked config...

interface Vlan1
ip address 10.10.1.1 255.255.255.0
ip access-group ACLGENERICDHCPIN in
ip access-group ACLVLAN1OUT out
!
interface Vlan2
ip address 10.10.2.1 255.255.255.0
ip access-group ACLGENERICDHCPIN in
ip access-group ACLVLAN2OUT out
!
interface Vlan3
ip address 10.10.3.1 255.255.255.0
ip access-group ACLGENERICIN in
ip access-group ACLVLAN3OUT out

!

interface Vlan98
ip address 10.10.98.1 255.255.255.0
ip access-group ACLGENERICIN in
ip access-group ACLVLAN98OUT out
!

!
ip default-gateway 10.10.98.3
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.98.3
!
ip access-list extended ACLVLAN1OUT
permit tcp any any established
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN2OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
permit udp any any eq bootpc
permit udp any any eq bootps
ip access-list extended ACLVLAN3OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255

ip access-list extended ACLGENERICIN
permit ip any any

ip access-list extended ACLGENERICDHCPIN
permit ip any any

permit udp any any eq bootpc
permit udp any any eq bootps

! - INTERNET GATEWAY VLAN

ip access-list extended ACLVLAN98OUT
permit tcp any any established
permit ip 10.10.1.0 0.0.0.255 10.10.99.0 0.0.0.255

permit ip 10.10.3.0 0.0.0.255 10.10.99.0 0.0.0.255

!-- AND or OR

permit ip 10.10.1.0 0.0.0.255 any

permit ip 10.10.3.0 0.0.0.255 any

Thanks yet again

MPA

MPA

Your statement "I think that you have described the desired effect - no vlan can establish comms with vlan1 but vlan1 can establish comms with the others." reflects a common misunderstanding about how ACL works. This describes devices that do stateful inspection like an ASA does. When we permit something to initiate a connection we automatically allow responses to come back. But IOS routers do not perform stateful inspection. If the out ACL does not have permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255 Then any packet with source address 10.10.2.x will be denied - does not matter whether it is an attempt to open a connection or an attempt to respond to a connection opened from vlan 1.

For the ACL on the gateway interface you definitely do not want

permit ip 10.10.1.0 0.0.0.255 10.10.99.0 0.0.0.255

permit ip 10.10.3.0 0.0.0.255 10.10.99.0 0.0.0.255

and do want

permit ip 10.10.1.0 0.0.0.255 any

permit ip 10.10.3.0 0.0.0.255 any

I would also comment about having ACL that has only permit ip any any like this one

ip access-list extended ACLGENERICIN
permit ip any any

You would achieve the same result (and have lower processing overhead) if you remove the access-group from the interface.

HTH

Rick

Hi Rick

Right it feels like we're nearly there! :-)

Drop the permit any ACL as no ACL is permit any any... errr anyway.

I understand that you have to have a specific rule for each outside interface - but I'm a little confused...

Does the "tcp any any established" not function in the way I'm intending or as the docs set my expectation? As the Vlan1 out has this "established" rule in place and the vlan2 permits traffic from vlan1 - does this not mean that vlan1 can send packets to vlan2 and vlan2 can only send packets "from an established connection" back to vlan1?

I might be laboring a point here but I am genuinely confused.

Thanks again,

MPA

MPA

you are correct about using permit tcp any any established. It does permit response to something initiated from that subnet. The important thing to understand that it works only for tcp. Other IP protocols, such as UDP or ICMP do not work.

At the risk of adding significant complexity to the effort I will mention that you might look at using reflexive access lists. That is about as close to stateful inspection as an IOS router or switch can get.

HTH

Rick

Hi Rick,

Sorry for the tardy reply...

OK I'l review Reflexive Access Lists as per your suggestion - thanks.

So where we are now... in addition to the "ip permit" rules which enable traffic to be accepted from other vlans, and the "tcp established" rule which enables established tcp to pass into a vlan - I need to add rules for any UDP traffic...

I have made a list of rules for the outside vlan interface (in addition to the DHCP rules already present) for the following services: ICMP, DNS and TFTP

These services are provided by host 10.10.98.5 in vlan 98.

therefore all vlan outsides (excepr vlan 98) should have the following added:

!IMAP

permit icmp any any echo-reply

!DNS

permit udp any any eq domain

permit udp any eq domain any

permit tcp any any eq domain

permit tcp any eq domain any

!TFTP

permit udp any eq 69 any

The vlan 98 has the following additions:

!IMAP

permit icmp any any echo-reply

!DNS

permit udp any 10.10.98.5 0.0.0.255 eq domain

permit udp  10.10.98.5 0.0.0.255 eq domain any

permit tcp any 10.10.98.5 0.0.0.255 eq domain

permit tcp  10.10.98.5 0.0.0.255 eq domain any

!TFTP

permit udp any 10.10.98.5 0.0.0.255 eq 69

Correct?

Thanks again,

MPA

MPA

So far looks good.

HTH

Rick