Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
40
Helpful
11
Replies

ACL not working as intended

Go to solution
Mark Alexander
Level 1
Level 1

‎10-16-2020 10:20 AM

I created a new network within our organization that has an entire new /8 and is linked between a routing protocol adjacency between this new network and the backbone area. This new /8 called for a wireless guest network that would only need access to the firewall(internet) along with being able to pull an IP from our DHCP server and DNS services. The new network in this case is 10.20.0.0 /16 and the specific network for the guest Wi-Fi is 10.20.20.0 /24 on VLAN 20. The following is the ACL configured for this case. This ACL is intended to only reach the internet and deny all traffic within our LAN. However I am still able to ping networked devices despite inputting a deny all ICMP traffic. Along with that this VLAN still has access to said network devices. Any thoughts and suggestions?

 

permit ip 10.20.20.0 0.0.0.255 host 192.168.0.4                     (Firewall)
permit ip 10.20.20.0 0.0.0.255 host 192.168.250.18               (DNS)
permit ip 10.20.20.0 0.0.0.255 host 128.1.99.1                       (DHCP)
deny ip 10.20.20.0 0.0.0.255 10.0.0.0 0.255.255.255             (LAN)
deny ip 10.20.20.0 0.0.0.255 192.0.0.0 0.255.255.255           (LAN)
deny ip 10.20.20.0 0.0.0.255 172.0.0.0 0.255.255.255           (LAN)
deny ip 10.20.20.0 0.0.0.255 128.0.0.0 0.255.255.255           (LAN)
deny icmp any any
permit ip any any

1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-16-2020 11:52 AM

Where did you apply that ACL? on the switch or on the WLC for that WLAN?, if on the switch, in which direction?

Also, some notes here:

- You don't need to allow the guest traffic destined to the firewall itself.

- The DNS rules should be locked down to port 53/udp.

- The DHCP rule you configured would not work for DHCP DORA, you should remove that and replace it with permit udp any eq bootpc any eq bootps, or more specific permit udp host 0.0.0.0 eq boopc host 255.255.255.255 eq bootps. For the DHCP IP renewal, you can configure permit udp 10.20.20.0 0.0.0.255 eq bootpc host 128.1.99.1 eq bootps. Reason why the one you configured would not work for DHCP DORA is because when the client first time tries to get an IP, it sources with 0.0.0.0, and the DHCP request will be broadcasted to the IP 255.255.255.255. However, when the client tries to renew its IP address, it would source from its IP address which will be within the subnet 10.20.20.0/24, and will send the renewal request to the DHCP server IP as unicast.

- You should deny the traffic to all RFC1918 range, in addition to any custom subnet/range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Another thing I would recommend is to connect a dedicated interface of the firewall to the switch, and place it within the guest VLAN20, and remove the VLAN20 SVI, so no routing will happen at the switches level between VLAN20 and the other VLANs. The security policies in this case should be shifted to the firewall. If there are no enough interfaces on the firewall to dedicate one, you can create a subinterface.

View solution in original post

11 Replies 11

Go to solution
MHM Cisco World
VIP
VIP

‎10-16-2020 10:44 AM

There is any WLC ? 

Go to solution
Mark Alexander
Level 1
Level 1
In response to MHM Cisco World

‎10-16-2020 11:31 AM

Yes we do have a controller for our wireless network. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-16-2020 11:52 AM

Where did you apply that ACL? on the switch or on the WLC for that WLAN?, if on the switch, in which direction?

Also, some notes here:

- You don't need to allow the guest traffic destined to the firewall itself.

- The DNS rules should be locked down to port 53/udp.

- The DHCP rule you configured would not work for DHCP DORA, you should remove that and replace it with permit udp any eq bootpc any eq bootps, or more specific permit udp host 0.0.0.0 eq boopc host 255.255.255.255 eq bootps. For the DHCP IP renewal, you can configure permit udp 10.20.20.0 0.0.0.255 eq bootpc host 128.1.99.1 eq bootps. Reason why the one you configured would not work for DHCP DORA is because when the client first time tries to get an IP, it sources with 0.0.0.0, and the DHCP request will be broadcasted to the IP 255.255.255.255. However, when the client tries to renew its IP address, it would source from its IP address which will be within the subnet 10.20.20.0/24, and will send the renewal request to the DHCP server IP as unicast.

- You should deny the traffic to all RFC1918 range, in addition to any custom subnet/range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Another thing I would recommend is to connect a dedicated interface of the firewall to the switch, and place it within the guest VLAN20, and remove the VLAN20 SVI, so no routing will happen at the switches level between VLAN20 and the other VLANs. The security policies in this case should be shifted to the firewall. If there are no enough interfaces on the firewall to dedicate one, you can create a subinterface.

Go to solution
Mark Alexander
Level 1
Level 1
In response to Aref Alsouqi

‎10-16-2020 12:58 PM - edited ‎10-16-2020 12:58 PM

This ACL is applied on the switch, VLAN 20 interface going IN. I did not think about those concepts with a DHCP get request, so thank you for showing me that. I will have that edited as well. 

Go to solution
Aref Alsouqi
VIP
VIP
In response to Aref Alsouqi

‎10-18-2020 09:04 AM

You welcome. If the wireless traffic is routed locally without hitting the switch, then the ACL should be applied to the WLC to that specific WLAN. I think you would also need to apply it to the Flexconnect policy in use.

Go to solution
Mark Alexander
Level 1
Level 1
In response to Aref Alsouqi

‎10-19-2020 06:30 AM

In this case the AP's are directly connected to the 9000 series switch which is acting as the multilayer switch for that specific network. However it is managed by the wireless controller on the backbone side of our network. Would I still need to apply this ACL to WLC? 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Mark Alexander

‎10-19-2020 06:44 AM

Almost always you would have the APs connected to a switch, not directly to the WLC. Yes, you would still need to apply the ACL to the WLC.

Go to solution
Mark Alexander
Level 1
Level 1
In response to Aref Alsouqi

‎10-19-2020 10:34 AM

These two APs in this case are using FlexConnect so would I need to apply this ACL to the VLAN interface or the physical interface?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Mark Alexander

‎10-19-2020 03:57 PM

To the WLAN and to the Flexconnect policy.

Go to solution
MHM Cisco World
VIP
VIP

‎10-16-2020 01:35 PM

The AP to WLC use CAPWAP tunnel with ip address of the AP and destination IP address of WLC.
this tunnel is pass through the SW so even if there is ACL it don't detect the traffic inside the tunnel.
NOW from WLC to SW....
here we will config the ACL i.e. the port connect the WLC to SW with IN direction,
here the traffic after pass WLC the WLC will remove the tunnel head and re-forward it SW with traffic without the tunnel head and ACL can work here to permit or deny the traffic to other subnet and to internet.  

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-19-2020 04:02 PM

Let me know if you want me to send a couple of screenshots where it should be applied, I can do that tomorrow.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card