Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1688
Views
5
Helpful
11
Replies

Filtering incomming packets

Go to solution
ElQueue
Level 1
Level 1

‎03-05-2019 12:21 PM

Due to limitations in hardware and possibly experience, I'm running into a wall trying to block traffic coming into my network. I'm trying to create an ACL to apply to an interface on my Catalyst 3750-24PS switch, but I don't know how to make it work as I can't add an ACL to the physical interface.

 

The topology is as follows:

 

Comcast Cable Router -> GigabitEthernet1/0/1 on the 3750, which then does interVLAN routing to all my devices.

 

In order to implement VLANs that worked with my Comcast router, I had to split up my network as follows:

 

10.0.0.0/28 - Comcast router and all the other network management interfaces

10.0.0.16/28 - Servers

10.0.0.32/28 - Hosts

10.0.0.48/28 - IP Phones

10.0.0.64/28 - Reserved

10.0.0.128/25 - WAP hosts

 

I tried putting all the VLANs on another subnet than the Comcast router, but none of my hosts could get out to the Internet so I had to complicate things like this; the Comcast router sees the network as 10.0.0.0/24 and the Catalyst switch routes it internally without interference.

 

Other than putting another device between the switch and Comcast router to filter, what are my options here?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ElQueue

‎03-07-2019 06:50 AM

Thank you for the clarification that 

I want the traffic on the whole 10.0.X.X network to be unfiltered (or at least not filtered by this ACL) while traffic coming from the Internet is filtered

 

To accomplish this I will repeat my previous suggestion

configure an access list that begins by permitting all traffic with source address in 10.0.0.x and then configure additional statements to filter the outside traffic that you want to control.

 

HTH

 

Rick

HTH

Rick

View solution in original post

11 Replies 11

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2019 12:30 PM

 

Do you have a L3 vlan interface for the 10.0.0.0/28 subnet ie. on your 3750 do you have - 

 

int vlan x 
ip address 10.0.0.x 255.255.255.240

 

if so you apply your acl to that interface inbound. 

 

Jon

 

 

0 Helpful

Go to solution
ElQueue
Level 1
Level 1
In response to Jon Marshall

‎03-05-2019 02:36 PM

I do, as all the network devices have an IP in that subnet. Are you saying that if a packet comes in through GigabitEthernet1/0/1 it's instantly processed as VlanX (the Vlan that port is assigned)?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to ElQueue

‎03-05-2019 02:47 PM

Hello,

 

I assume that since you do the inter-Vlan routing on the switch, port GigabitEthernet1/0/1 is configured as an access port in the 10.0.0.0/28 subnet/Vlan ?

If that is the case, applying the ACL to the Vlan interface will work as indicated by Jon. If you are not sure about what you are doing, post the full config of the switch, including the actual access list.

0 Helpful

Go to solution
ElQueue
Level 1
Level 1
In response to Georg Pauwen

‎03-05-2019 03:32 PM

I wanted to block out most of the outside traffic coming into the network, which would cripple my internal network since incomming would include traffic technically going out (as it would come IN the Vlan from another Vlan), as well as possibly blocking some internal traffic as well.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ElQueue

‎03-06-2019 08:30 AM

Jon and Georg are correct that if you want to filter traffic coming from the ISP that you would apply an access list inbound on the vlan interface for the vlan where the ISP is connected.

 

We do not know what else is connected in the vlan that connects the ISP. If we knew more about your environment and about your topology we might be able to give better advice. But it seems to me, based on what we know so far, that you have 2 options that could solve your requirements:

1) move the devices that are currently connected in the vlan that connects the ISP to some other vlan so that the vlan connects only the ISP. Then you can apply an access list that impacts only the ISP traffic.

2) I am assuming that your devices inside all have addresses in 10.0.0.x and that the traffic that you want to control is not in 10.0.0.x. So configure an access list that begins by permitting all traffic with source address in 10.0.0.x and then configure additional statements to filter the outside traffic that you want to control.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
ElQueue
Level 1
Level 1
In response to Richard Burts

‎03-07-2019 06:39 AM - edited ‎03-07-2019 06:40 AM

All the devices on the Vlan for 10.0.0.1-15 are routers and switches. I.E. the Comcast router (1), 3 Cisco switches (3-5), and 1 Cisco router (2). I want the traffic on the whole 10.0.X.X network to be unfiltered (or at least not filtered by this ACL) while traffic coming from the Internet is filtered. I also have a cellular modem for failover attached to the Cisco router via serial that will need an identical ACL set up, but I assume that will be MUCH easier since the traffic is directly attached to the router.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ElQueue

‎03-07-2019 06:50 AM

Thank you for the clarification that 

I want the traffic on the whole 10.0.X.X network to be unfiltered (or at least not filtered by this ACL) while traffic coming from the Internet is filtered

 

To accomplish this I will repeat my previous suggestion

configure an access list that begins by permitting all traffic with source address in 10.0.0.x and then configure additional statements to filter the outside traffic that you want to control.

 

HTH

 

Rick

HTH

Rick

Go to solution
ElQueue
Level 1
Level 1
In response to Richard Burts

‎03-07-2019 07:34 AM

Awesome, now that you simplified it like that I don't know why I was trying to make it so hard... story of my life.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ElQueue

‎03-07-2019 08:46 AM

I am glad that my suggestion is helpful. We all have had the experience of trying to find a solution that turns out to be more complex than it really needs to be. Letting the traffic for 10.0.0.0 go through without restriction is the easy part. You will probably encounter a bit more complexity as you come up with access list statements to restrict traffic from outside and permit only the outside traffic that you really want.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
ElQueue
Level 1
Level 1
In response to Jon Marshall

‎03-05-2019 03:30 PM

I just realized that this solution isn't good enough. This port isn't the only one on this Vlan. And since I want to lock down ports, this would kill my network.
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ElQueue

‎03-06-2019 10:28 AM - edited ‎03-06-2019 10:34 AM

Hello
Possibly apply an reflective acl on the 3750 svi's to established traffic flow back into your network

Example:
ip access-list extended Egress
permit tcp any any reflect Comcast
permit udp any any reflect Comcast
permit icmp any any reflect Comcast

ip access-list extended Ingress
evaluate Comcast

interface Vlan x
ip access-group Egress in
ip access-group Ingress out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card