cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1066
Views
0
Helpful
11
Replies

Restrict Access for single node/interface

adam.dillon1
Level 1
Level 1

I'm looking to gain some insight on how to resolve a problem I have. Summed up, my network looks like this:

 

We have two sides to the company, one side we will call office, and the other operations. On the Office side we use Vlan 10. We connect the office side to a router, and on the other side is the operations using vlan 1. Currently anything on vlan 10 can reach vlan 1 and vice versa. 

 

I have a device, we'll call it Node, that is currently on Vlan 10, that needs to communicate to some devices on Vlan 10 and also some on Vlan 1. However, given the current setup it can access everything on vlan 10 and vlan 1. I would like to restrict this Node to only the IPs that it needs access to. 


I can move this Node to another Vlan, if that makes it easier. I just don't know where to begin with restricting it's access.

 

Thank you so much for your time.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

 

It would probably be easier it you moved it to it's own vlan then on the L3 interface for that vlan you could apply an acl inbound on the interface with the logic - 

 

allow node to specific IPs (in vlan 1 and vlan 10)
deny node to vlan 1 subnet
deny node to vlan 10 subnet
permit ip node to any (if node needs internet - you may or may not need this last line)

 

alternatively you could use an vlan acl (vacl) to restrict traffic within vlan 10 and an acl applied to the vlan 10 interface to restrict traffic between the node and vlan 1 but then you would need a "permit ip any any" at the end of the acl for the non node traffic. 

 

Jon

View solution in original post

 

Your acl should look like - 

 

access-list 100 permit ip host 192.168.16.5 host 192.168.209.24
access-list 100 permit ip host 192.168.16.5 host 192.168.210.1
access-list 100 permit ip host 192.168.16.5 host 10.10.1.12
access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3
access-list 100 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip host 192.168.16.5 any

 

and then you need to apply it inbound to the vlan interface - 

 

interface Vlan16
description Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 in

 

Jon

View solution in original post

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

 

It would probably be easier it you moved it to it's own vlan then on the L3 interface for that vlan you could apply an acl inbound on the interface with the logic - 

 

allow node to specific IPs (in vlan 1 and vlan 10)
deny node to vlan 1 subnet
deny node to vlan 10 subnet
permit ip node to any (if node needs internet - you may or may not need this last line)

 

alternatively you could use an vlan acl (vacl) to restrict traffic within vlan 10 and an acl applied to the vlan 10 interface to restrict traffic between the node and vlan 1 but then you would need a "permit ip any any" at the end of the acl for the non node traffic. 

 

Jon

Thank you!

I'm going to give this a shot on a test system in about an hour!

So I've created vlan 16 as my new vlan for this single node. I gave vlan interface an ip address of 192.168.16.1, set the Node, my test machine in this case to 192.168.16.5 and configured it's interface to switchport access vlan 16. 

 

I'll need my node to have internet access, and it'll need to reach 192.168.209.24 and 192.168.210.1 on VLAN 10 and 10.10.1.12 on Vlan 1.

 

I'm looking at creating extended access list as such:

access-list 100 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24

access-list 100 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1

access-list 100 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12

access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3                   (192.168.208.0-192.168.211.255)

access-list 100 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255                 (10.0.0.0-10.255.255.255) 

access-list 100 permit ip 192.168.16.5 0.0.0.0 any

 

Then I need to configure the interface vlan 16

 

interface Vlan16
description Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 out

 

Does that look right? Do I need an interface IP on the vlan 16?

 

Thank you!

 

Edit: tested, I can ping the 192.168.16.1 (cisco switch) and 192.168.210.1 (cisco switch) but nothing else.

 

 

 

Your acl should look like - 

 

access-list 100 permit ip host 192.168.16.5 host 192.168.209.24
access-list 100 permit ip host 192.168.16.5 host 192.168.210.1
access-list 100 permit ip host 192.168.16.5 host 10.10.1.12
access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3
access-list 100 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip host 192.168.16.5 any

 

and then you need to apply it inbound to the vlan interface - 

 

interface Vlan16
description Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 in

 

Jon

That's very close to what I was doing. I was able to get the access to my specified IPs 192.168.209.24, 210.1, and 10.10.1.12 to work. I had the access-group 100 set to out at first, after I changed it, that took care of the deny. 

 

The issue I am having is reaching the internet. 

 

I've removed the deny statements, and tried permit ip any any at the end just to see if I could ping 8.8.8.8 and it fails. I tried to also add permit ip host 192.168.16.5 any, and it also fails to ping  8.8.8.8.

 

 

Here is my current configuration:

interface Vlan16
description OSPI Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 in

 

Extended IP access list 100
20 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24
30 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1 (13 matches)
40 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12
80 permit ip host 192.168.16.5 0.0.0.0 192.168.208.5 (2 matches)     (this is just another server I needed access to.)
90 permit ip any any (43 matches)

 

interface GigabitEthernet7/0/15 (this is where my test system is sitting.)
switchport access vlan 16
switchport mode access

I removed the Deny statements just for testing. When they are added, I'm having success with all of my rules except the internet. I'll also note that if I remove the access-group from the vlan16 interface, internet works just fine as well.

 

Edit: or atleast it was before I started messing with these access lists. I noticed now that the network adapter on the test computer is showing a gateway of 0.0.0.0 and 192.168.16.1. I'm thinking this is a problem. I'll try to resolve.

 

I was going to suggest it might be a NAT issue as you are using a new subnet but you say internet works fine without the acl. 

 

The acl looks good to me, let me know how you get on once you have sorted out the adapter. 

 

Jon

I could have sworn the internet worked before I did any of the ACL stuff, but I must be mistaken. I had to setup the route on my sonicwall for the vlan 16 to hit my core switch. I got that working.

 

So internet is working, and all of my permits are working, but it appears I hit a new snag! 

 

After adding the permit ip host 192.168.16.5 any, it looks like I'm not able to ping anything on my deny spaces as well. I cleaned up my access a little, and this is what it is now.

 

Extended IP access list 100
10 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24
20 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1 (1 match)
30 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12
40 permit ip host 192.168.16.5 0.0.0.0 192.168.208.5
50 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3
60 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255
70 permit ip host 192.168.16.5 any (5 matches)

 

I'm able to ping other devices on the 192.168.208.0 network now. Does entry 70 supersede entries 50 and 60?

 

 

edit: I dropped the permit any, and that fixed it. So that tells me either the deny entries are incorrect, or the permit any supersedes? Or something else altogether.. AWW ha 

 

 

 

I think the wildcard mask is wrong in line 50 ie. it should be 0.0.3.255 not 0.0.0.3. 

 

Jon

Doh, I didn't see this message. 

 

I noticed my vlan 1 was working correctly just the vlan 10 wasn't. I've never worked with ACLs or these wildcards before. 

I got it!! I had the wrong inverse subnet for my 192.168.208.0 network.

 

Should have been

 

deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.3.255 instead of 0.0.0.3.

 

 

Thanks SOO much Jon, couldn't have even began this without you!

 

No problem, glad you got it working. 

 

Jon

Review Cisco Networking for a $25 gift card