Solved: Restricted Access to users via ACLs

Sihanu N · ‎03-30-2012

Hi Experts,

We have a network setup mentioned below and currently all users at the Quarters location is able to access the corporate network by giving the gateway as ip address of HSRP Vlan 1. And we are planning to block the unauthorized access by the following method.

1) Creating a named ACL allowing the ip addresses used by the devices in vlan 1 inside the corporate network and users static ip who need to access the corporate network(privileged users)

2) Implementing ACL to interface VLAN 1 as inbound in both core switches

3) Since the implicit deny by the ACL is there the un-authorized users will automatically blocked

My Queries

1) Is the allowed ip ranges are enough to block the un-authorized access without any other issues for the normal traffic flow for the vlan traffic?

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

Please post you valuable comments, suggestions and advice regarding blocking plan

Thanks and Regards,

Sihanu N

thomas.satafer.fan · ‎03-30-2012

Hi,

My suggestions are:

1) Is the allowed ip ranges are enough to block the un-authorized access without any other issues for the normal traffic flow for the vlan traffic?

suppose your int vlan 1's ip address configured as 192.168.1.1 255.255.255.0, then

You can config standard ACLs like below:

access-list NUMBER permit 192.168.1.4

access-list NUMBER permit 192.168.1.7

.

access-list NUMBER permit 192.168.1.235

list all IP addresses you want to allow access the network in that access-list then apply this access-list to int vlan 1.

Now all other traffic send with source IP addresses that is not in that list will not be able to get to any network except 192.168.1.0/24 (which is vlan 1's network). This means guests could only communicate with Quarters and nothing else, including Internet.

The drawback of this solution is that guests could simply change their ip to any ip in your list then he will bypass your ACL.

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

AFAIK, most of current cisco platform perform ACL in ASIC per interface. a ACL applied to vlan will inherent to all physical ports configured with that vlan. so there will not increase CPU utilization.

View solution in original post

Reza Sharifi · ‎03-30-2012

Hi,

If I understand your question correctly, you only have one vlan for both the guest house and the users with static IPs.

If you want to block vlan 1 from being accessed by the guest house users, than you can put the guest house users in a different vlan and apply an ACL (outbound) to vlan 1 to block the guest house users.

HTH

Sihanu N · ‎03-30-2012

Hi Reza,

Thanks for you reply,

The current setup doesnt allow us to split the users into two vlans as the devices at the quarters(including guests) locations are unmanageable. Also the static ips given for the guests and legitimate users cannot be differentiated into two ranges as it is given.(IP addresses are not assigned in a proper order).

1) Please confirm whether the proposed plan by me will work with no issues?

Thanks and Regards,

Sihanu N

thomas.satafer.fan · ‎03-30-2012

Hi,

My suggestions are:

1) Is the allowed ip ranges are enough to block the un-authorized access without any other issues for the normal traffic flow for the vlan traffic?

suppose your int vlan 1's ip address configured as 192.168.1.1 255.255.255.0, then

You can config standard ACLs like below:

access-list NUMBER permit 192.168.1.4

access-list NUMBER permit 192.168.1.7

.

access-list NUMBER permit 192.168.1.235

list all IP addresses you want to allow access the network in that access-list then apply this access-list to int vlan 1.

Now all other traffic send with source IP addresses that is not in that list will not be able to get to any network except 192.168.1.0/24 (which is vlan 1's network). This means guests could only communicate with Quarters and nothing else, including Internet.

The drawback of this solution is that guests could simply change their ip to any ip in your list then he will bypass your ACL.

2) Is there any issues with the CPU utilization of Core switch, as the ACL lookup is a processor consuming one?

AFAIK, most of current cisco platform perform ACL in ASIC per interface. a ACL applied to vlan will inherent to all physical ports configured with that vlan. so there will not increase CPU utilization.