Re: setting ACL in switch l3 - Page 2

Roza12 · ‎12-17-2018

i have guest vlan 50 192.168.50.0/24

servers in subnet 172.20.1.0/24

and i want to allow quest vlan to access from this range of servers (172.20.1.0/24) only

1-dhcp server (172.20.1.100,172.20.1.101)

2-dns, (172.20.1.115,172.20.1.116)

3- other 4 servers using ports 443/80

then deny access to the rest of the servers in range 172.20.1.0/24

The rest should just be open, so would ASA be able to control access to DMZ, etc. :

then permit access to internet or permit any any

so please your help , how should i do that without making any errors ?

Roza12 · ‎12-18-2018

For DHCP and DNS I only allowed bootpc and domain

My goal is to prevent any Guest IP from accessing all servers except 4 servers

If I want to deny access from servers to the guest I should do

Deny ip 172.20.1.0 0.0.0.255 193.168.50.0 0.0.0.255

Seb Rupik · ‎12-18-2018

Yes, adding that deny statement after your specific permit statements (for DHCP, DNS, etc) will give you that result.

Cheers,

Seb.

Roza12 · ‎12-18-2018

Last question

Regarding to DHCP:-

What's the difference between below commands , which one would be better for use

permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 eq bootpc
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 eq bootpc

And

permit udp any any eq bootps

paul driver · ‎12-18-2018

Hello

@Roza12 wrote:

For DHCP and DNS I only allowed bootpc and domain

My goal is to prevent any Guest IP from accessing all servers except 4 servers

The you should filter the access from the server vlan NOT the guest vlan

example:
ip access-list extended guestvlan_access
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.100 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.100 range domain bootpc bootps
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.101 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.101 range domain bootpc bootps
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.115 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.115 eq domain
permit tcp 192.168.50.0 0.0.0.255 host 172.20.1.116 range www 443
permit udp 192.168.50.0 0.0.0.255 host 172.20.1.116 eq domain
deny ip 192.160.50.0 0.0.0.255 any
permit ip any any

int vlan xx
description Server vlan
ip access-group guestvlan_access OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Roza12 · ‎12-18-2018

Why out ???

From guest going to server so it should be in am I right???

paul driver · ‎12-18-2018

Hello

@Roza12 wrote:

Why out ???

SVI acl logic

IN= originating from within vlan going out

OUT = originating from outside the vlan coming in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Simon Darlington · ‎12-18-2018

Nicely summarized. Thanks for this.

Seb Rupik · ‎12-19-2018

Paul, with all respect it is best practice to filter traffic as close to the source as possible, hence suggesting an inbound ACL on the guest_vlan SVI.

Cheers,

Seb.