10-02-2021 04:31 PM
I have set up ACLs to deny most traffic between VLANs on a 3750x switch (which is also acting as the inter-vlan router), however it does not seem to work at all. More specifically, I have the Servers VLAN 10 and Clients VLAN 15.
Despite the below configuration, Clients in VLAN 15 have full access to both servers in VLAN 10 (i.e. I can access the Web GUI on Server1 - 10.1.10.10 and can RDP into Server 2 - 10.1.10.11, while the ACLs do not allow that). Additionally, they can also access the Web GUI of the internet router that is on 10.1.20.1, while I believe the ACL below should not allow that.
Ideally I would only want the Clients to have access to:
a) DNS Server running on internet router (10.1.20.1)
b) Access to DHCP server running on internet router (10.1.20.1) so as to receive addresses
c) The TCP 10050 & 10051 ports on Server 10.1.10.12
And then no further access to the internal network, while being allowed to access the internet.
The configuration is as follows:
VLAN 10 (Servers): 10.1.15.0/24
VLAN 15 (Clients): 10.1.15.0/24
VLAN 20 (Internet Gateway): 10.1.20.0/24
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip access-group 110 in
ip helper-address 10.1.20.1
!
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
ip helper-address 10.1.20.1
!
interface Vlan20
ip address 10.1.20.2 255.255.255.0
!
access-list 110 permit udp 10.1.10.0 0.0.0.255 host 10.1.20.1 eq domain access-list 110 permit udp any eq bootpc any eq bootps access-list 110 permit udp host 10.1.10.11 host 10.1.20.1 eq 2056 access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1645 access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1646 access-list 110 permit udp host 10.1.10.12 host 10.1.10.1 eq snmp access-list 110 permit udp host 10.1.10.12 host 10.1.20.1 eq snmp access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10050 access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10051 access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.10 access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.20 access-list 110 deny ip 10.1.10.0 0.0.0.255 10.1.0.0 0.0.255.255 access-list 110 permit ip 10.1.10.0 0.0.0.255 any access-list 110 deny ip any any
!
access-list 115 permit udp 10.1.15.0 0.0.0.255 host 10.1.20.1 eq domain
access-list 115 permit udp any eq bootpc any eq bootps
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10050
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10051
access-list 115 deny ip 10.1.15.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 115 permit ip 10.1.15.0 0.0.0.255 any
access-list 115 deny ip any any
Is my configuration wrong? Is the latest IOS version for this switch buggy? I could post the entire configuration of the switch if need be, since this is a lab environment.
Thanks
10-02-2021 07:49 PM
VLAN 10 (Server)
subnet 10.1.10.0
the direction for ACL is IN
so the acl must be filter any packet destination to Server subnet BUT I see you config ACL to deny source of Server !!!
that wrong
10-03-2021 03:24 PM - edited 10-03-2021 04:09 PM
Hello
Your acl is applied in the correct direction but you acls ace's dont seem correct, try the following:
access-list 110 permit tcp host 10.1.10.12 any range 10050 10051
access-list 110 deny ip any 10.1.15.0 0.0.0.255
access-list 110 permit ip any any
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip access-group 110 in
access-list 115 permit tcp any host 10.1.10.12 range 10050 10051
access-list 115 deny ip any 10.1.10.0 0.0.0.255
access-list 115 permit ip any any
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
ip inspect name internet inspect tcp
ip inspect name internet inspect udp
ip inspect name internet inspect icmp
access-list 120 permit udp any any eq bootpc
access-list 120 deny ip any any
access-list 121 permit ip any any
interface Vlan20
ip address 10.1.20.2 255.255.255.0
ip inspect internet out
ip access-group 120 in
ip access-group 121 out
10-03-2021 03:35 PM - edited 10-03-2021 03:45 PM
Hi Paul,
Thanks for your post. I tried replacing ACLs 110 & 115 with simple ones that only include a single entry: "deny ip any any".
Unfortunately, even with this configuration the client in VLAN 15 had full access to everything (including the Servers VLAN & the Internet).
However, I managed to find the solution: Removing "ip verify source" from the Client's physical gigabit interface on the switch. When I did that, the ACLs worked as expected and I couldn't access the Servers VLAN. As soon as I turn IP Source Guard on, I'm facing the same issue. Note that the Server's physical interface didn't have IP Source Guard enabled.
It looks like IP Source Guard is buggy in the latest release and causes the switch to completely ignore the VLAN interface routing ACLs, hence ignoring all "deny" rules.
I tried to contact TAC for this issue (even sharing my full config), but since I don't have a service contract they couldn't help me and asked me to post my issue here. I am able to share a very simple full switch configuration that replicates this issue (which I believe could be a bug) if need be.
Thanks
10-03-2021 03:46 PM
Hello
You don’t mention anything about IPSG or uRPF in your OP which it seems you have running, This would have bearing on your access-list to work correctly
Please elaborate on exactly what you want to accomplish and also post the running configuration of the L3 switch/router servicing you vlans
10-03-2021 06:01 PM - edited 10-03-2021 06:07 PM
I've built a simpler configuration/scenario that still replicates my issue (attaching it to this post):
Assume what I'm trying to accomplish with the attached config is to prevent VLAN 15 from forwarding traffic to or accepting traffic from any other VLAN or the internet, except for DHCP traffic (essentially I want the clients in VLAN 15 to receive addresses from the DHCP server and then only talk to each other inside the VLAN).
In the attached configuration, this does not work. The client in VLAN 15 can ping the Server in VLAN 10, access its Web GUI, etc.
When I remove "ip verify source" from the G1/0/12 interface config, the client works as expected (i.e. is no longer able to contact anything outside its VLAN, and the counter for the "deny ip any any" in "show ip access-list 115" starts showing that packets are being dropped).
Thanks
Disclaimer for mods (since I was asked not to include IPs etc. in public posts): The attached config & IP addresses are not used in my production environment.
10-04-2021 03:45 AM
Hi friend
Hmm so there are two filter, can you so
access-group mode merge and see result may be this is solution for your case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide