cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1196
Views
35
Helpful
10
Replies

acl

dlee_gmail
Level 1
Level 1

hi! i've some questions on applying acl.

scenario:

vlan 10 (Office network) 192.168.10.x

vlan 20 (Internet transition netowrk) 192.168.20.x

vlan 30 (Manufacuting network) 192.168.30.x

vlan 40 (Server network) 192.168.40.x

vlan50 (WAN Network) 192.168.50.x

I've 5 vlans in my network. My objectives are to:

Vlan30

-----------

-No internet Access

-Only citrix svr and dns access through WAN VLan and Svr Vlan

-Deny all other traffic

What's the simpliest way to achive my objective? Is there a way for me to apply the acl only in vlan30? or must i apply the acl in all other vlans through inbound acl just to achive my objective eg. access-list 100 deny 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255, access-list 100 permit any any in vlan20 just to block internet traffic from going into vlan30. I'm trying to minimize the impact of acl in other vlan. We do not have restriction in other vlan except for vlan30.

Pls advise. Thks.

10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You just need to apply the ACL on VLAN 30.

access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 53

access-list 101 permit ip any host

access-list 101 deny ip any any

interface vlan 30

ip access-group 101 in

exit

You can also use VLAN access-map if you want to block the traffic at VLAN level.

Hope this helps.

Regards,

NT

hi! Thks for the reply. So far my concept of ACL (In an SVI setup) is to apply only inbound acl in the vlan interfaces with the src as network of the vlan  interface itself.

As mentioned, i only want to restrict access to the manufacturing vlan, if possible i do not want to apply any acl in other interfaces. If i'm not wrong, the sample acl you provided is only controlling the traffic from the manufacturing vlan(30) to dest (other vlans). What if there's a need to allow or deny only certain traffic from other vlan into vlan30?

pls advise. thx.

In addition to that, my svi running on a 4506 sw is running hsrp with ospf? what port shd i be included in the acl in this case? thx

dlee_gmail wrote:

hi! Thks for the reply. So far my concept of ACL (In an SVI setup) is to apply only inbound acl in the vlan interfaces with the src as network of the vlan  interface itself.

As mentioned, i only want to restrict access to the manufacturing vlan, if possible i do not want to apply any acl in other interfaces. If i'm not wrong, the sample acl you provided is only controlling the traffic from the manufacturing vlan(30) to dest (other vlans). What if there's a need to allow or deny only certain traffic from other vlan into vlan30?

pls advise. thx.

In addition to that, my svi running on a 4506 sw is running hsrp with ospf? what port shd i be included in the acl in this case? thx

The "deny ip any any" at the end of the acl would stop return traffic so if a client in another vlan sends traffic to a client in vlan 30 the traffic would reach the client in vlan 30 but the return traffic would be blocked.

If this is not good enough ie. you must stop the traffic actually reaching the client in vlan 30 then you either need to -

1) use acls inbound on the other vlan interfaces. Make sure there is a "permit ip any any" at the end of those acls though otherwise you have cut them off from other, non vlan 30 destinations.

2) use an outbound acl on the vlan 30 interface to stop traffic entering into the vlan but then that could block return traffic to vlan 30 so you need to be very precise in what you allow in and out eg.

access-list 102 permit udp any eq 53 any

access-list 102 permit tcp any eq 53 any

access-list 102 permit host any

access-list 102 deny ip any any

OSPF does not use a port it is IP protocol 89 eg.

access-list   permit ospf any any

Jon

hi! I'm don't quite understand about what do you mean by return traffic. Is that mean when i try to ping any host in the vlan30, the packet will reach the host in there but not able to reply back? Does that mean it basically restrict access from other vlan into vlan30? or this will only work for traffic that do not need a return traffic back to the requester?

The outgoing acl you mentioned in item2, does that mean i can use it to allow eg. TCP port 123 from vlan 20 to vlan30 + block all other traffic from going into vlan30, by using the command below:

access-list 103 permit tcp 192.168.20.0 0.0.0.0.255 eq 123 any

access-list 103 deny any any

interface vlan 30
ip access-group 103 out
exit

Thx

Hi Dave,

Look at the first port on your question from NT...

He has given you the actual access-list needed.  (Though I would suggest  you apply it in the out direction)

10 access-list 101 permit udp any any eq 53

20 access-list 101 permit tcp any any eq 53

30 access-list 101 permit ip any host

40 access-list 101 deny ip any any

Let me break this down for you.

DNS uses both TCP and UDP port 53

Line 10 and 20 say we will allow 'any' device from vlan 30 to access 'any device' on TCP and UDP port 53 (this is allowing the DNS)

Line 30 says that we will allow 'any' device from vlan 30 to access the ip address of the Citrix server that you would specify as shown by NT

You can leave out line 40 as it doesn't really serve any purpose because ACLs have an inherent property of 'implicit deny'.

Now go ahead and apply this acl on interface vlan 30 as

ip access-group 101 out

Please let me know if this helps clarify the situation or if I have misunderstood the issue.

hi! I'm don't quite understand about what do you mean by return traffic. Is that mean when i try to ping any host in the vlan30, the packet will reach the host in there but not able to reply back? Does that mean it basically restrict access from other vlan into vlan30? or this will only work for traffic that do not need a return traffic back to the requester?

You have an acl applied inbound on vlan 30. That acl will be applied to -

1) connections that comes from the clients in vlan 30 to any devices outside vlan 30 ie. the connections are initiated from a client in vlan 30

and

2) traffic coming from clients in vlan 30 in response to a connection initiated by a device outside vlan 30 ie. this is return traffic. The connection was not started by a client in vlan 30 rather the connection was started by a device outside vlan 30 to a client in vlan 30 but the client in vlan 30 still needs to send the response back and an inbound acl will apply to this traffic as well.

Where it would not stop traffic is if a connection is sent into vlan 30 that needed no response and this can happen with UDP traffic for example. If you want to stop all traffic going into vlan 30 then you need to see my previous post.

Jon

hi! What's the different between specifying the port number 53 in the src and dest? Is that a rule to say that for inbound acl the port number shd be specify in the dest part of the acl and for outbound acl, the port number must be in the src of the acl? Don't quite understand about this part. Can elaborate on this part? thx.

access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 53

access-list 101 permit ip any host

access-list 101 deny ip any any

interface vlan 30

ip access-group 101 in

exit

--------------------------------------------------------------------

access-list 102 permit udp any eq 53 any

access-list 102 permit tcp any eq 53 any

access-list 102 permit host any

access-list 102 deny ip any any

interface vlan 30

ip access-group 102 out

exit

access-list 101 permit tcp any any eq 80

access-list 102 permit tcp any eq 80 any

vlan = vlan 30

If you applied these acls inbound on the vlan interface then -

1) acl 101 would allow clients in vlan to connect to any server with a destination port of port 80 ie. a web server.

2) acl 102 would allow any web servers on vlan 30 to send traffic out of vlan 30 to any remote device

so in effect with acl 101 the web server is remote ie. not in vlan 30 whereas with acl 102 the web server is in vlan 30

if you applied these acls outbound on the vlan 30 interface 

1) acl 101 would allow any remote clients to connect to a web server on vlan 30

2) acl 102 would allow any remote webserver to send traffic to clients on vlan 30

Jon

Just to add on to what Jon has said....

Let us say that you have a webserver W on the inside.

W-------Router----(internet)

When anybody in the internet is connecting to the webserver W, they would need to use a destination port of 80(http) or 443(https).

But it is also important for you to understand that when the web server it communicating out into the internet it would have a random source port number and not necessarily 80.

This is because the source port number for traffic initiated by a web server does not need to be 80 and could be any value.

We want to generally focus on the destination port number when traffic is trying to reach a specific server.

hi! with acl applied, is there any port or protocol required to be opened for static or default route? thx

Review Cisco Networking for a $25 gift card