Solved: access query

suthomas1 · ‎11-15-2011

My setup is as shown:

various vlans --- Switch 4500 --- Firewall ---- internet

vlans that exist are users, print,wifi, general,services. services vlan has domain server for dns and active directory.

requirement for this is :

a. general vlan should not be able to access internet & users

b. only wifi , users , services vlan should be able to access internet.

( services vlan has the dns server )

the ip scheme is :

users vlan - 10.10.1.0 /24

print - 10.10.2.0/24

wifi - 10.10.3.0/24

general - 10.10.4.0/24

services - 10.10.5.0/24

how should acl be used to fulfill the requirements. to control internet access should it be enough to use following acl on eg. users vlan:

ip access-list ext users

permit ip 10.10.1.0 0.255.255.255 10.10.4.0 0.255.255.255

deny ip any any

c. in the above acl for users, if this is applied to user interface and if a user tries to ping his own gateway 10.10.1.1 ,will it succeed and how about the users access within his own vlan.

also , is it best to permit required part and deny all else or vice - versa.

thanks in advance.

Latchum Naidu · ‎11-15-2011

Hi,

would the below one line acl be enough for users 10.10.1.x to access internet using only dns servers.
The acs is defined is to access 10.10.1.x to 10.10.4.x only.
And it is not possible to access internet via dns server.
It is only to translate the IP to Name thats it.

When you want access to internet from specific vlan there must be a default route which is "permit any any"

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎11-15-2011

Hi,

Your approcah to achieve what you want looks fine somewhat.
And I hope you need that general vlan should not access internet but should access all others is it?

ip access-list ext general
permit ip any 10.10.4.0 0.255.255.255
permit ip any 10.10.3.0 0.255.255.255
permit ip any 10.10.2.0 0.255.255.255
permit ip any 10.10.5.0 0.255.255.255
deny ip any any

ip access-list ext users
permit ip 10.10.1.0 0.255.255.255 10.10.4.0 0.255.255.255
deny ip any any

c. in the above acl for users, if this is applied to user interface and if a user tries to ping his own gateway 10.10.1.1 ,will it succeed and how about the users access within his own vlan.
Yes, users in vlan 10.10.1.0 will be able to access everything in this network of course default gateway also.

also , is it best to permit required part and deny all else or vice - versa.
That is what I gave in my example for general vlan, best practice is permit required networks and deny everything (deny any any)

thats it you will be fine....

Please rate the helpfull posts.
Regards,
Naidu.

suthomas1 · ‎11-15-2011

Thanks Naidu.

In the below acl, i wanted users to access internet only and deny everything else.reason i put 10.10.4.x was since this segment belongs to services which has the dns servers. would the below one line acl be enough for users 10.10.1.x to access internet using only dns servers.

ip access-list ext users

permit ip 10.10.1.0 0.255.255.255 10.10.4.0 0.255.255.255

deny ip any any

thanks

Latchum Naidu · ‎11-15-2011

Hi,

would the below one line acl be enough for users 10.10.1.x to access internet using only dns servers.
The acs is defined is to access 10.10.1.x to 10.10.4.x only.
And it is not possible to access internet via dns server.
It is only to translate the IP to Name thats it.

When you want access to internet from specific vlan there must be a default route which is "permit any any"

Please rate the helpfull posts.
Regards,
Naidu.

suthomas1 · ‎11-15-2011

thanks again. yes, the default route point to firewall.

so to access internet is it necessary to have a broad permit any any or can it be made more specific given that we only have a default route out.

Latchum Naidu · ‎11-15-2011

Hi,

Yes, usually it will be like "permit any any" when you need internet access to any specific vlan.
Because we dont know what and all that unknown traffic (internet).

Please rate the helpfull posts.
Regards,
Naidu.

Latchum Naidu · ‎11-15-2011

Hi,

And you may need to block some of the sites say facebook or youtube which may caus more bandwidth usage.

In that case you may need to do like below...

ip access-list ext users

permit ip any any

deny any facebook-ip/network

deny any youtube-ip/network

Hope you got answered.
I would request you to rate all the helpfull posts so that it will be encourage to others throughout the community. THANKS

Please rate the helpfull posts.
Regards,
Naidu.

suthomas1 · ‎11-15-2011

thanks. to understand better on internet access, if a user tries to access a website over internet, how does the dns resolution travel to and from this particular user ip. Is it directly done between user and the site ?or is the request handed over to local dns server ( in this scenario, the user pc has local dns ip's entered ) and then taken by dns server to internet and returned back to the user?

cadet alain · ‎11-15-2011

Hi,

if the PCs are Windows then first the content of the hosts file is merged with the DNS replies cached and th e PC first look into this cache( seen with ipconfig/displaydns) then if there is no entry for the FQDN it is searching the IP for, it will ask its first configured DNS server.The local DNS server if it is a caching server will look into its cache and if it finds no entry it will first send a query to one of the root servers, when it receives which dns server to contact for tld it will send the request to this server which will reply with another server responsible for the zonz the domain is in and so forth until it gets the reply to original request from host and then it caches it and send the reply to the host which also caches it.

Regards.

Alain

Don't forget to rate helpful posts.