03-17-2011 01:14 AM - edited 03-06-2019 04:07 PM
Hi, what ACLs do you use for filtering traffic between VLANs in a windows domain?
I mean, between Servers VLAN and Users VLAN?
between IT_deparment_VLAN and Users_VLAN?
Do you permit any and deny the most dangerous ones (Terminal server, 135, ...)?
Or do you deny any and permit what you need?
Obviously the second option is more secure, but it can be very problematic because of the large number of ports involved
Thanks
Solved! Go to Solution.
03-17-2011 04:03 AM
As I said, it depends on your own and organization requirements.
Some people will give some servers on port 80 and some critical servers deny RDP (3389) access and may others.
As I said it all depends on your own requirements and you can fine tune the ACL restrictions depends on requirements.
As per above say your organization desided to restrict RDP access and only allow http access....So like below you can modify your ACL's
Example 192.168.30.30 is permited to users on port 80 and for 192.168.30.40 RDP access is restricted and for 192.168.30.50 is given RDP access.
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.30 0.0.0.255 eq 80
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.50 0.0.0.255 eq 3389
access-list 120 deny ip any any
Regards,
Nadiu.
03-17-2011 02:15 AM
Hi,
You can easily restrict access between VLAN's with ACL's.
For your requirement say you have Vlan10-Servers, Vlan20-Users and Vlan30-IT dept.
Now we need to achieve access restrict between Vlan's as per requirement.
interface Vlan10
description Servers
ip address 192.168.10.1 255.255.255.0
ip access-group 110 in
ip helper-address 1.11.1.145
interface Vlan20
description Users
ip address 192.168.20.1 255.255.255.0
ip access-group 120 in
ip helper-address 1.11.1.145
interface Vlan30
description IT-dept
ip address 192.168.30.1 255.255.255.0
ip access-group 130 in
ip helper-address 1.11.1.145
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq www
access-list 110 permit ip 192.168.10.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 110 deny ip any any
access-list 120 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq www
access-list 120 permit ip 192.168.20.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 120 deny ip any any
access-list 130 permit ip host 192.168.30.100 192.168.10.0 0.0.0.255
access-list 130 permit ip host 192.168.30.100 192.168.20.0 0.0.0.255
access-list 130 permit ip 192.168.30.0 0.0.0.255 1.11.0.0 0.0.255.255
access-list 130 deny ip any any
Please rate the helpfull posts.
Regards,
Nadiu.
03-17-2011 02:23 AM
But int his configuration you are not securing vlan servers from vlan users...
03-17-2011 02:32 AM
Hi,
You can modify the accesslist as per your requirement.
Say you need to restrict access from user vlan to server vlan which is accesslist 120 which applied under servers vlan would be
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 deny ip any any
access-list 130 permit tcp 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 130 permit tcp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 130 deny ip any any
Please rate the all helpfull posts.
Regards,
Nadiu.
03-17-2011 03:49 AM
Hi,
It seems your question answered, hence I would request you to click on correct answer as peope will get encourage.
The given compensation is somewhat let down.
Regards,
Nadiu.
03-17-2011 03:50 AM
Yes, I know that.
I'm asking about how people is filtering their internal VLANs in a Windows domain.
is people allowing all ports between servers and users?
are they denying all and allowing some ports or they only deny manage ports like 3389 (terminal server) or 135, etc..?
03-17-2011 04:03 AM
As I said, it depends on your own and organization requirements.
Some people will give some servers on port 80 and some critical servers deny RDP (3389) access and may others.
As I said it all depends on your own requirements and you can fine tune the ACL restrictions depends on requirements.
As per above say your organization desided to restrict RDP access and only allow http access....So like below you can modify your ACL's
Example 192.168.30.30 is permited to users on port 80 and for 192.168.30.40 RDP access is restricted and for 192.168.30.50 is given RDP access.
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.30 0.0.0.255 eq 80
access-list 120 permit tcp 192.168.20.0 0.0.0.255 192.168.30.50 0.0.0.255 eq 3389
access-list 120 deny ip any any
Regards,
Nadiu.
03-17-2011 09:59 AM
I would say deny some, and permit any, depending on what needs to be denied and what services are running on the box. Denying everything and permiting only some typically is done for Internal segment on a Firewall but since Servers[most of it are] come under DMZ segment, explicitly deny only a few.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: