Solved: routed port and ACLs

anitachoi3 · ‎10-20-2011

Hi Expert,

Below is the configuration of the catalyst 4506 core switch. The mail server is connected to GE port directly with IP address, the server farm is other zone for the web servers. Two ACL will be deployed to protect the critical server. Is it the correctly to config the direction of ACL to be "in"?

! 4506

!

hostname hkcoresw01

!

interface GigabitEthernet3/1

description connected to Primary Exchange Mail Server, 192.168.200.8/27

no switchport access

ip address 192.168.200.1 255.255.255.224

ip access-group MailIn in

load-interval 30

no cdp enable

no ip redirects

no ip proxy-arp

!

interface GigabitEthernet2/2

description connected to server farm

switchport access vlan 50

switchport mode access

!

interface Vlan50

description server farm on 8/F

ip address 192.168.50.1 255.255.255.0

ip access-group ServerFarmIn in

no ip redirects

no ip proxy-arp

standby 50 ip 192.168.50.10

standby 50 priority 150

standby 50 preempt delay reload 60

!

ip access-list extended ServerFarmIn

permit tcp 192.168.50.64 0.0.0.3 any eq 80

permit tcp 192.168.50.64 0.0.0.3 eq 80 any

permit tcp 192.168.50.64 0.0.0.3 any eq 443

permit tcp 192.168.50.64 0.0.0.3eq 443 any

permit tcp host 192.168.50.30 eq ssh host 192.168.1.66

permit tcp host 192.168.50.30 eq rdp host 192.168.1.66

!

ip access-list extended MailIn

permit tcp 192.168.0.0 0.0.255.255 192.168.200.8 0.0.0.7 eq pop3

permit tcp host 172.16.1.1 192.168.200.8 0.0.0.7 eq smtp

permit tcp host any eq smtp 192.168.200.8 0.0.0.7 established

!

rdgs

Anita

Jon Marshall · ‎10-21-2011

Anita

It's the same principle for a L3 routed port as for a L3 SVI ie. from your config -

L3 vlan 50 interface - subnet 192.168.50.0/24

L3 routed interface - subnet 192.168.200.0/27

an acl applied inbound will filter traffic coming from clients in that subnet so -

vlan 50 acl applied inbound will filter traffic from 192.168.50.x clients.

vlan 50 acl applied outbound will filter traffic going to 192.168.50.x clients

L3 routed interface acl applied inbound will filter traffic from 192.168.200.x clients

L3 routed interface acl applied outbound will filter traffic to 192.168.200.x clients

So looking at one line from your Mailin acl -

permit tcp host 172.16.1.1 192.168.200.8 0.0.0.7 eq smtp

you can see from the descriptions above that this line wil never be used. An acl applied inbound expects to see the source IPs from the subnet it is applied to but the source IP in that acl line is 172.16.1.1. So that suggests it should be applied outbound not inbound.

Also the destination makes no sense either. If the only device on the link is the mailserver then simply use it's host adddress which i'm guessing is 192.168.200.8.

The whole config is very confused. Why are you using a ./27 for the mailsevrer subnet ie.

192.168.200.0 255.255.255.224 = 192.168.200.1 -> 30 (broadcast 31). So you have 30 useable IPs but you only 2 devices on that subnet if the mailserver is directly connected to the gig port on the switch.

So it's difficult to give any advice without knowing exactly what you are trying to do.

Jon

View solution in original post

Jon Marshall · ‎10-20-2011

Anita

The ServerFarmin acl doesn't even mention the Mail server so how is related to the 192.168.200.1 server ?

The Mailin acl looks to be applied incorrectly. Not sure again it is that you are trying to achieve.

Can you explain exactly what you want to do and then we can go from there.

For your info -

an acl applied inbound means traffic coming from that vlan. So with your Mailin acl the acl is applied to traffic received FROM the mailserver so you can see that your acl probably isn't correct.

Jon

anitachoi3 · ‎10-21-2011

Dear Jon,

GE 3/1 is configured to be routed port (not SVI setting) for the mail server (Exchange server). Do I treat it the same as router's interface? if so, I apply the ACL to the routed port of 4506 to be the same manner with router. Please correct me if I wrong.

rdgs

Anita

Jon Marshall · ‎10-21-2011

Anita

It's the same principle for a L3 routed port as for a L3 SVI ie. from your config -

L3 vlan 50 interface - subnet 192.168.50.0/24

L3 routed interface - subnet 192.168.200.0/27

an acl applied inbound will filter traffic coming from clients in that subnet so -

vlan 50 acl applied inbound will filter traffic from 192.168.50.x clients.

vlan 50 acl applied outbound will filter traffic going to 192.168.50.x clients

L3 routed interface acl applied inbound will filter traffic from 192.168.200.x clients

L3 routed interface acl applied outbound will filter traffic to 192.168.200.x clients

So looking at one line from your Mailin acl -

permit tcp host 172.16.1.1 192.168.200.8 0.0.0.7 eq smtp

you can see from the descriptions above that this line wil never be used. An acl applied inbound expects to see the source IPs from the subnet it is applied to but the source IP in that acl line is 172.16.1.1. So that suggests it should be applied outbound not inbound.

Also the destination makes no sense either. If the only device on the link is the mailserver then simply use it's host adddress which i'm guessing is 192.168.200.8.

The whole config is very confused. Why are you using a ./27 for the mailsevrer subnet ie.

192.168.200.0 255.255.255.224 = 192.168.200.1 -> 30 (broadcast 31). So you have 30 useable IPs but you only 2 devices on that subnet if the mailserver is directly connected to the gig port on the switch.

So it's difficult to give any advice without knowing exactly what you are trying to do.

Jon

anitachoi3 · ‎10-21-2011

Hi Jon,

There are some information to be masked and amended, so the configuration may not be certain or clear. Thank you for the elaboration and convey the main idea and concept of L3 routed interface for ACL depolyment.

rdgs

Anita