Solved: Catalyst 6500 VLAN ACLs

jmprats · ‎03-17-2011

Hi, what ACLs do you use for filtering traffic between VLANs in a windows domain?

I mean, between Servers VLAN and Users VLAN?

between IT_deparment_VLAN and Users_VLAN?

Do you permit any and deny the most dangerous ones (Terminal server, 135, ...)?

Or do you deny any and permit what you need?

Obviously the second option is more secure, but it can be very problematic because of the large number of ports involved

Thanks

Latchum Naidu · ‎03-17-2011

As I said, it depends on your own and organization requirements.
Some people will give some servers on port 80 and some critical servers deny RDP (3389) access and may others.

As I said it all depends on your own requirements and you can fine tune the ACL restrictions depends on requirements.

As per above say your organization desided to restrict RDP access and only allow http access....So like below you can modify your ACL's

Example 192.168.30.30 is permited to users on port 80 and for 192.168.30.40 RDP access is restricted and for 192.168.30.50 is given RDP access.

access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.30 0.0.0.255 eq 80
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.50 0.0.0.255 eq 3389
access-list 120 deny ip any any

Regards,
Nadiu.

View solution in original post

Latchum Naidu · ‎03-17-2011

Hi,

You can easily restrict access between VLAN's with ACL's.
For your requirement say you have Vlan10-Servers, Vlan20-Users and Vlan30-IT dept.
Now we need to achieve access restrict between Vlan's as per requirement.

interface Vlan10
description Servers
ip address 192.168.10.1 255.255.255.0
ip access-group 110 in
ip helper-address 1.11.1.145

interface Vlan20
description Users
ip address 192.168.20.1 255.255.255.0
ip access-group 120 in
ip helper-address 1.11.1.145

interface Vlan30
description IT-dept
ip address 192.168.30.1 255.255.255.0
ip access-group 130 in
ip helper-address 1.11.1.145

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq www
access-list 110 permit ip 192.168.10.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 110 deny ip any any

access-list 120 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq www
access-list 120 permit ip 192.168.20.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 120 deny ip any any

access-list 130 permit ip host 192.168.30.100 192.168.10.0 0.0.0.255
access-list 130 permit ip host 192.168.30.100 192.168.20.0 0.0.0.255
access-list 130 permit ip 192.168.30.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 130 deny ip any any

Please rate the helpfull posts.
Regards,
Nadiu.

jmprats · ‎03-17-2011

But int his configuration you are not securing vlan servers from vlan users...

Latchum Naidu · ‎03-17-2011

Hi,

You can modify the accesslist as per your requirement.
Say you need to restrict access from user vlan to server vlan which is accesslist 120 which applied under servers vlan would be

access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 deny ip any any

access-list 130 permit tcp 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 130 permit tcp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 deny ip any any

Please rate the all helpfull posts.
Regards,
Nadiu.

Latchum Naidu · ‎03-17-2011

Hi,

It seems your question answered, hence I would request you to click on correct answer as peope will get encourage.

The given compensation is somewhat let down.

Regards,
Nadiu.

jmprats · ‎03-17-2011

Yes, I know that.

I'm asking about how people is filtering their internal VLANs in a Windows domain.

is people allowing all ports between servers and users?

are they denying all and allowing some ports or they only deny manage ports like 3389 (terminal server) or 135, etc..?

Latchum Naidu · ‎03-17-2011

As I said, it depends on your own and organization requirements.
Some people will give some servers on port 80 and some critical servers deny RDP (3389) access and may others.

As I said it all depends on your own requirements and you can fine tune the ACL restrictions depends on requirements.

As per above say your organization desided to restrict RDP access and only allow http access....So like below you can modify your ACL's

Example 192.168.30.30 is permited to users on port 80 and for 192.168.30.40 RDP access is restricted and for 192.168.30.50 is given RDP access.

access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.30 0.0.0.255 eq 80
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.50 0.0.0.255 eq 3389
access-list 120 deny ip any any

Regards,
Nadiu.

samavedula_rama · ‎03-17-2011

I would say deny some, and permit any, depending on what needs to be denied and what services are running on the box. Denying everything and permiting only some typically is done for Internal segment on a Firewall but since Servers[most of it are] come under DMZ segment, explicitly deny only a few.

Thanks.