Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2246
Views
15
Helpful
22
Replies

setting ACL in switch l3

Roza12
Level 1
Level 1

‎12-17-2018 02:05 AM - edited ‎03-08-2019 04:49 PM

i have guest vlan 50 192.168.50.0/24

servers in subnet 172.20.1.0/24

 

and i want to allow quest vlan to access  from this range of servers (172.20.1.0/24) only

1-dhcp server (172.20.1.100,172.20.1.101)

2-dns, (172.20.1.115,172.20.1.116)

3- other 4 servers using ports 443/80

 

 then deny access to the rest of the servers in range 172.20.1.0/24

 

The rest should just be open, so would ASA be able to control access to DMZ, etc.  : 

then permit access to internet or permit any any

 

so please your help , how should i do that without making any errors ?

Labels:
0 Helpful
22 Replies 22

Seb Rupik
VIP Alumni
VIP Alumni

‎12-17-2018 02:20 AM

Hi there,

Try the following:

 

!
ip access-list ext ACL_001
  permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq 67
  permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq 67
  permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 53
  permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 53
  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 53
  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 53
  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 80
  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 443
  deny ip 192.168.50.0 0.0.0.255 172.120.1.0 0.0.0.255
  permit ip any any
!

 

Repeat the following lines, adjusting the xxx's:

  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 80
  permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.xxx eq 443

...for each of the 4 server IP you did not specify.

 

Apply this ACL INBOUND on your directly connected interface.

 

cheers,

Seb.

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-17-2018 02:34 AM

Hi

 

you mean interface or apply on vlan 50 ?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Roza12

‎12-17-2018 03:05 AM

Apply it to the SVI, so you have:

 

!int vlan 50  ip access-group ACL_001 in!

 

cheers,

Seb.

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-17-2018 03:08 AM

Ok thanks

 

Last question why did you permit UDP then TCP why we need them permit for each server ???

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Roza12

‎12-17-2018 03:38 AM

DNS can use TCP/53 and UDP/53 so I included both in the ACL. If you know that your sever is configured to accept connections via one protocol only, edit the ACL as required.

 

cheers,

Seb.

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-17-2018 04:17 AM - edited ‎12-17-2018 04:18 AM

Hi again

 

i have applied the acl as you mentioned but i've accessed from other servers that we denied and i still can ping to guest subnet 

 

it should be only from dhcp , dns ,.. 

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Roza12

‎12-17-2018 05:03 AM

The ACL in its current configuration will work in the direction from the guest subnet to the four servers that you specified.

 

I am a little confused from your last statement. Are you saying you can access other servers in the server VLAN from the guest subnet?

As for the ping to guest subnet statement, where are you pinging from?

 

Cheers,

Seb.

0 Helpful

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-17-2018 07:25 AM

Sorry, yes you a re right

 

I've checked from

Sh ip access list

 And I found number of hits besides deny access list

And I think it means , it's working right now

0 Helpful

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-17-2018 01:11 PM

I have tried from DHCP and DNS servers

And other servers that we denied

 

And I can ping that was what I meant from previous post

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Roza12

‎12-18-2018 03:03 AM

OK you are saying that for example from your DHCP server you can ping a host in the guest the VLAN:

172.20.1.100 -> 192.168.50.1 OK

 

...but you cannot ping successfully in the reverse direction?

 

192.168.50.1 -> 172.20.1.100 NOT OK

 

cheers,

Seb.

 

0 Helpful

Roza12
Level 1
Level 1
In response to Seb Rupik

‎12-18-2018 03:33 AM

I didn't try from guest, only from servers that we allowed and denied 

0 Helpful

Georg Pauwen
VIP
VIP

‎12-17-2018 02:21 AM

Hello,

 

what do you mean with:

 

--> 3- other 4 servers using ports 443/80

 

Either way, try the below access list:

 

ip access-list extended SERVERS_RESTRICT
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq domain
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq domain
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq www
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq 443
deny ip 192.168.50.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip any any

0 Helpful

Roza12
Level 1
Level 1
In response to Georg Pauwen

‎12-17-2018 02:31 AM

hi

I mean i want to allow other 4 servers also and deny the rest

 

then how to apply this extended acl on vlan 50 (in or out )?

please correct me if i'm wrong

 

Extended IP access list Guest-Allowed
10 permit tcp any host172.20.1.140 eq www
20 permit tcp any host172.20.1.140 eq 443
30 permit tcp any host172.20.1.125 eq www
40 permit tcp any host172.20.1.125 eq 443
50 permit tcp any host172.20.1.118 eq www
60 permit tcp any host172.20.1.118 eq 443
70 permit tcp any host172.20.1.180 eq 443
80 permit tcp any host172.20.1.181 eq 443
90 permit udp any host172.20.1.46 eq domain
100 permit udp any host172.20.1.47 eq domain
110 permit udp any host172.20.1.109 eq bootpc
120 permit udp any host172.20.1.109 eq bootps
130 permit udp any host172.20.1.110 eq bootpc
140 permit udp any host172.20.1.110 eq bootps
150 permit icmp any any echo
160 permit icmp any any echo-reply
170 permit icmp any any port-unreachable

180 deny ip any 172.20.1.0 0.0.0.255

190 permit ip any any

 

inter vlan 50 

description WirelessGuest
ip address 172.29.64.1 255.255.255.0
ip helper-address 172.20.1.120
ip helper-address 172.20.1.121
ip access-group Guest-Allowed in

0 Helpful

paul driver
VIP
VIP

‎12-18-2018 03:26 AM - edited ‎12-18-2018 03:30 AM

Hello
Just to confirm you would like any host from the guest vlan to access these 4 servers below on those specific ports and then deny all other access to these servers from the guest vlan

 

172.20.1.100 - 172.20.1.101  allow port access for dhcp, http, https

172.20.1.115 - 172.20.1.116 allow port access for dns, http, https

 

Do you wish for the servers to be able to initiate any connection towards the guest vlan?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card