Solved: ACL secure over VLAN

Dusan Sladojevic · ‎07-25-2011

Hi,

I am wondering how to secure with ACL access to special VLAN in my network that is only for VOIP telephony.

My company has VTP domain set on router, and also on router VLANs are configured over subinterfaces.

So point is to have devices in that special VLAN to communicate only in that VLAN, and only two IP address can access that VLAN.

So I am little worried because telephone company can access our VOIP PBX, and wouldn't like to access our network over VOIP PBX.

Actually their VOIP PBX has a seperate link to internet, and VOIP PBX is connected to our network with port switch assinged to that specific VLAN.

What I have done:

conf t

ip access-list extended 120

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.100

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.55

exit

int fasteth 0/0.20

access-group 120 out

end

Problem is it doesn't work like it should - machines have different result.

Like one machine doesn't have access at all for 172.30.169.0/25 network, and other machines don't have access only to some machines from 172.30.169.0/25 network.

I have set similar ACL on our other site (doesn't have subinterfaces) and it works just as I would like it to work - only two machines have access to that VLAN, and that VLAN has access to only it's VLAN.

It's configured like this:

conf t

ip access-list standard 20

permit 172.30.160.100 0.0.0.0.0

permit 172.30.160.55 0.0.0.0

exit

int vlan 20

access-group 20 out

end

What would be the best practice to secure our network? IS the ACL ok for this? And how should ACL look like to make it work 100%?

Jon Marshall · ‎07-26-2011

I was just about to write about this. You are running HSRP on that interface. Have you applied the acl to the other interface on the other L3 device that connects to vlan 20. I suspect this is the problem ie. some devices are being filtered because they go via the interface you have applied the acl and some are going via the other interface are not being filtered.

Can you apply the same acl to the other interface for vlan 20.

Jon

View solution in original post

Jon Marshall · ‎07-25-2011

Dusan

With this acl -

ip access-list extended 120

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.100

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.55

only hosts 172.30.160.100 and 172.30.160.55 will be able to talk to the 172.30.169.0/25 network. If another host in the 172.30.160.x network tries to talk to a device in the 172.30.169.0/25 network the return traffic will be blocked because at the end of each acl there is an explicit deny and you have ony allowed traffic to .100 and .55.

Your other acl works because you have used a standard acl rather than an extended acl.

If you could specify exactly what access you need both ways then we could help more.

Jon

Dusan Sladojevic · ‎07-25-2011

Hi Jon,

I have also tried firstly with standard ACL and result was exactly the same.

I have also tried to make ACL on the fast ethernet 0/0 but result was no traffic was blocked at all.

I can do some screen shots to make you believe me that ACL doesn't work on all machines like it should.

As I have said I need two things:

1)No access from VLAN 20 to any network

2)Access to VLAN 20 allowed to only two IP addresses

simple as that

Jon Marshall · ‎07-25-2011

Okay, what IP address is assigned to fa0/0.20 ?

When you say some machines work some don't can you be more specific ?

Also when you say no access from vlan 20 to any network presumably you do want to allow vlan 20 to access those 2 hosts ie. 100 & 55.

If you don't but only want to allow access from those hosts and not to those hosts you need to use reflexive acls.

Jon

Dusan Sladojevic · ‎07-26-2011

Here are the information for fa0/0.20:

interface FastEthernet0/0.20

description MA-IPtel-Vlan20

encapsulation dot1Q 20

ip address 172.30.169.125 255.255.255.128

ip access-group 120 out

ip helper-address 192.168.85.3

no snmp trap link-status

standby 20 ip 172.30.169.126

standby 20 timers 1 5

standby 20 priority 130

standby 20 preempt

standby 20 authentication 86254

Here are the printscreen from 3 machines in the network:

http://imageshack.us/g/43/machine3.png/

And for the two clients, it's not necessary now to make the VLAN 20 not access those IP addresses.

I would fix it later, now I would just need to make it work like it does on the other site.

Thanks a lot for support

Jon Marshall · ‎07-26-2011

Dusan

Your acl is the wrong way round -

ip access-list extended 120

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.100

permit ip 172.30.169.0 0.0.0.127 host 172.30.160.55

change it to -

ip access-list extended 120

permit ip host 172.30.160.100 172.30.169.0 0.0.0.127

permit ip host 172.30.160.55 172.30.169.0 0.0.0.127

Jon

Dusan Sladojevic · ‎07-26-2011

HI Jon,

I have tried both ways even before I made this post.

But I also did it once again, just as you have written - but result is same like I have presented on those screenshots.

I don't understand why it works like this?

Jon Marshall · ‎07-26-2011

Dusan

Are 172.30.169.3 and .5 devices within vlan 20 ?

Jon

Dusan Sladojevic · ‎07-26-2011

Yes they are.

I figured out something.

ACL I have placed is on site #2.

Any client from any VLAN in site #2 can't access VLAN 20. I am not on site #2 but I suppose if I place laptop in VLAN 20 I couldn't access anything out from VLAN20.

Machines from site #1 have different results when they communicate with VLAN 20 from site #2.

Is this thing common?

Strangest thing of all is no user from any VLAN from site#2 can communicate with site #1 VLAN 20

I am totally confused

Jon Marshall · ‎07-26-2011

I was just about to write about this. You are running HSRP on that interface. Have you applied the acl to the other interface on the other L3 device that connects to vlan 20. I suspect this is the problem ie. some devices are being filtered because they go via the interface you have applied the acl and some are going via the other interface are not being filtered.

Can you apply the same acl to the other interface for vlan 20.

Jon

Dusan Sladojevic · ‎07-26-2011

Yes it's working now

I forgot to mention that I am running HSRP.

I never doubted it is problem with not placing ACL on btoh routers - because from site #2 i couldn't make communication to VLAN 20 in site #1 and with just placing ACL on primary router in HSRP.

Many, many thanks Jon for your support!

But I have one more question.

Is the ACL only thing you would implement to secure network from telephone operator?

What would be the best thing to do - so I can say I am now sure telephone company can't access my network?