cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
40
Helpful
11
Replies

ACL not working as intended

Mark Alexander
Beginner
Beginner

I created a new network within our organization that has an entire new /8 and is linked between a routing protocol adjacency between this new network and the backbone area. This new /8 called for a wireless guest network that would only need access to the firewall(internet) along with being able to pull an IP from our DHCP server and DNS services. The new network in this case is 10.20.0.0 /16 and the specific network for the guest Wi-Fi is 10.20.20.0 /24 on VLAN 20. The following is the ACL configured for this case. This ACL is intended to only reach the internet and deny all traffic within our LAN. However I am still able to ping networked devices despite inputting a deny all ICMP traffic. Along with that this VLAN still has access to said network devices. Any thoughts and suggestions?

 

permit ip 10.20.20.0 0.0.0.255 host 192.168.0.4                     (Firewall)
permit ip 10.20.20.0 0.0.0.255 host 192.168.250.18               (DNS)
permit ip 10.20.20.0 0.0.0.255 host 128.1.99.1                       (DHCP)
deny ip 10.20.20.0 0.0.0.255 10.0.0.0 0.255.255.255             (LAN)
deny ip 10.20.20.0 0.0.0.255 192.0.0.0 0.255.255.255           (LAN)
deny ip 10.20.20.0 0.0.0.255 172.0.0.0 0.255.255.255           (LAN)
deny ip 10.20.20.0 0.0.0.255 128.0.0.0 0.255.255.255           (LAN)
deny icmp any any
permit ip any any

1 Accepted Solution

Accepted Solutions

Aref Alsouqi
Collaborator
Collaborator

Where did you apply that ACL? on the switch or on the WLC for that WLAN?, if on the switch, in which direction?

Also, some notes here:

- You don't need to allow the guest traffic destined to the firewall itself.

- The DNS rules should be locked down to port 53/udp.

- The DHCP rule you configured would not work for DHCP DORA, you should remove that and replace it with permit udp any eq bootpc any eq bootps, or more specific permit udp host 0.0.0.0 eq boopc host 255.255.255.255 eq bootps. For the DHCP IP renewal, you can configure permit udp 10.20.20.0 0.0.0.255 eq bootpc host 128.1.99.1 eq bootps. Reason why the one you configured would not work for DHCP DORA is because when the client first time tries to get an IP, it sources with 0.0.0.0, and the DHCP request will be broadcasted to the IP 255.255.255.255. However, when the client tries to renew its IP address, it would source from its IP address which will be within the subnet 10.20.20.0/24, and will send the renewal request to the DHCP server IP as unicast.

- You should deny the traffic to all RFC1918 range, in addition to any custom subnet/range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Another thing I would recommend is to connect a dedicated interface of the firewall to the switch, and place it within the guest VLAN20, and remove the VLAN20 SVI, so no routing will happen at the switches level between VLAN20 and the other VLANs. The security policies in this case should be shifted to the firewall. If there are no enough interfaces on the firewall to dedicate one, you can create a subinterface.

View solution in original post

11 Replies 11

MHM Cisco World
Advisor
Advisor

There is any WLC ? 

Yes we do have a controller for our wireless network. 

Aref Alsouqi
Collaborator
Collaborator

Where did you apply that ACL? on the switch or on the WLC for that WLAN?, if on the switch, in which direction?

Also, some notes here:

- You don't need to allow the guest traffic destined to the firewall itself.

- The DNS rules should be locked down to port 53/udp.

- The DHCP rule you configured would not work for DHCP DORA, you should remove that and replace it with permit udp any eq bootpc any eq bootps, or more specific permit udp host 0.0.0.0 eq boopc host 255.255.255.255 eq bootps. For the DHCP IP renewal, you can configure permit udp 10.20.20.0 0.0.0.255 eq bootpc host 128.1.99.1 eq bootps. Reason why the one you configured would not work for DHCP DORA is because when the client first time tries to get an IP, it sources with 0.0.0.0, and the DHCP request will be broadcasted to the IP 255.255.255.255. However, when the client tries to renew its IP address, it would source from its IP address which will be within the subnet 10.20.20.0/24, and will send the renewal request to the DHCP server IP as unicast.

- You should deny the traffic to all RFC1918 range, in addition to any custom subnet/range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Another thing I would recommend is to connect a dedicated interface of the firewall to the switch, and place it within the guest VLAN20, and remove the VLAN20 SVI, so no routing will happen at the switches level between VLAN20 and the other VLANs. The security policies in this case should be shifted to the firewall. If there are no enough interfaces on the firewall to dedicate one, you can create a subinterface.

This ACL is applied on the switch, VLAN 20 interface going IN. I did not think about those concepts with a DHCP get request, so thank you for showing me that. I will have that edited as well. 

You welcome. If the wireless traffic is routed locally without hitting the switch, then the ACL should be applied to the WLC to that specific WLAN. I think you would also need to apply it to the Flexconnect policy in use.

In this case the AP's are directly connected to the 9000 series switch which is acting as the multilayer switch for that specific network. However it is managed by the wireless controller on the backbone side of our network. Would I still need to apply this ACL to WLC? 

Almost always you would have the APs connected to a switch, not directly to the WLC. Yes, you would still need to apply the ACL to the WLC.

These two APs in this case are using FlexConnect so would I need to apply this ACL to the VLAN interface or the physical interface?

To the WLAN and to the Flexconnect policy.

MHM Cisco World
Advisor
Advisor

The AP to WLC use CAPWAP tunnel with ip address of the AP and destination IP address of WLC.
this tunnel is pass through the SW so even if there is ACL it don't detect the traffic inside the tunnel.
NOW from WLC to SW....
here we will config the ACL i.e. the port connect the WLC to SW with IN direction,
here the traffic after pass WLC the WLC will remove the tunnel head and re-forward it SW with traffic without the tunnel head and ACL can work here to permit or deny the traffic to other subnet and to internet.  

Aref Alsouqi
Collaborator
Collaborator

Let me know if you want me to send a couple of screenshots where it should be applied, I can do that tomorrow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers