stack WS-C3850-12XS-E (ACL Question)

Roza12 · ‎12-12-2018

Hi

i want to create NAMED ACL to prevent quest network (in HQ office ) from access to servers in data centers except (DHCP;DNS ;Exchange) servers should be allowed

1- Quest network configured as vlan 50 ---- ip add: 192.168.50.0/23

2- DHCP SERVERS --- IP ADD: 172.16.10.109 and 172.16.10.110

3-DNS SERVER ---- IP ADD: 172.16.10.46 and 172.16.10.47

4- EXCHANGE SERVER---IP ADD: 172.16.10.180 , 172.16.10.181 and 172.16.10.182

---------------------------------------------------------------------------------

Topology

HQ office (stack WS-C3850) --connect to 2 switches--->

1- DC 1: WS-C3650 stack (some of servers are located here ) ------> ASA (ACTIVE) to DC1 ----> ISP

2- DC2: WS-C3650 stack (other servers are located here ) -------> ASA (STBY) TO DC2 ----> ISP

*same ISP connected to DC1 & DC2

* HQ stack switch connected to DC switches by using port channels

So what i tried to do is :

ip access-list extended vlan50_in
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.180
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.181
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.182
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.46
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.47
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.109
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.110
deny ip any any

ip access-list extended vlan50_out
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.180
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.181
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.182
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.46
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.47
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.109
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.110
deny ip any any

inter vlan 50

ip access-group vlan64_in

ip access-group vlan64_out

-----------------------------------------------------------------

so is it configured in right way to prevent guest from access servers ??

th access-group should applied on vlan 50 or physical interfaces or port channels???

and if i apply it can guest network access to internet ???IF yes, what should be done to prevent that ???

Thanks in advance

Seb Rupik · ‎12-12-2018

Hi there,

!
inter vlan 50
  ip access-group vlan50_in
!

...is all you need to prevent your guest subnet from reaching anything (including the internet) except for the desired subset of servers.

You only need the ACL in the OUTBOUND direction if you want to prevent some device outside of guest subnet reaching your guest devices, but it would not be able to create a bi-directional stream because you have the INBOUND ACL in place.

You may want to tighten the ACL and be quite specific about which ports the guest subnet can contact on the servers. Currently your ACL permits access to the entire port range on those servers.

cheers,

Seb.

Roza12 · ‎12-13-2018

Hi

Thanks for your reply

the guest subnet is configured as vlan 50 and what i want to prevent this subnet from access the servers in data center except dhcp,dns and exchange

but i need this guest subnet access to internet

so please can you explain more i didn't get you

Seb Rupik · ‎12-13-2018

Ah I misunderstood, I thought you wanted to block internet access too! In which case try the following ACL in the inbound direction.

!
ip access-list extended vlan50_in
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.180
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.181
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.182
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.46
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.47
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.109
 permit ip 192.168.50.0 0.0.1.255 host 172.16.10.110
 deny ip 192.168.50.0 0.0.1.255 10.0.0.0 0.255.255.255
 deny ip 192.168.50.0 0.0.1.255 172.16.0.0 0.15.255.255
 deny ip 192.168.50.0 0.0.1.255 192.168.0.0 0.0.255.255
 permit ip any any
!

Since I don't know what your internal address space looks like I have opted to block the entire RFC1918 address blocks, so any traffic destined to the internet (public IPs) will be permitted.

cheers,

Seb.

Roza12 · ‎12-13-2018

Hi

1-
deny ip 192.168.50.0 0.0.1.255 10.0.0.0 0.255.255.255  //// which subnet do you mean is it for the core switch ??
and for this configuration is it standard because 2 networks not specific ?

2-
 deny ip 192.168.50.0 0.0.1.255 172.16.0.0 0.15.255.255 /// this subnet for the servers will deny all except that we permit first ??
3-
 deny ip 192.168.50.0 0.0.1.255 192.168.0.0 0.0.255.255 // why you denied the same subnet for guest ????

what about the vlan outside ??? do we need to configure it ??

and where we will apply the access-list ??

Seb Rupik · ‎12-13-2018

1) As I don’t know what your address space looks like I blocked traffic 10.0.0.0/8 . If that subnet does not feature in your network then it is safe to remove.

2) Yes, the permit statements will be hit long before you reach this ACE. This ACE is a catch-all .

3) Ah, good catch. You do want to be able to access the gateway for the subnet. Intra-subnet traffic between guest devices will not go via the SVI so will not hit this ACE.

We now have the following:

!
ip access-list extended vlan50_in
  permit ip 192.168.50.0 0.0.1.255 host <vlan50_svi_ip>
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.180
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.181
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.182
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.46
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.47
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.109
  permit ip 192.168.50.0 0.0.1.255 host 172.16.10.110
  deny ip 192.168.50.0 0.0.1.255 10.0.0.0 0.255.255.255
  deny ip 192.168.50.0 0.0.1.255 172.16.0.0 0.15.255.255
  deny ip 192.168.50.0 0.0.1.255 192.168.0.0 0.0.255.255
  permit ip any any
 !

Roza12 · ‎12-13-2018

Hi

ip access-list extended vlan50_in
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.180
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.181
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.182
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.46
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.47
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.109
permit ip 192.168.50.0 0.0.1.255 host 172.16.10.110
deny ip any 172.20.0.0 0.0.0.255 // core switch subnet - physical
deny ip any 10.50.10.0 0.0.0.255 // port channel IPs
deny ip any 172.16.10.0 0.0.0.255 // servers
permit ip any any

why we just do this ??

why we configure the svi for vlan 50 to be allowed then deny it again i didn't get the last point ??

Seb Rupik · ‎12-13-2018

Technically your deny statements with an ‘any’ source are valid, but it is highly unlikely that an IP address from a subnet other than 192.168.50.0/23 would arrive inbound to the SVI. That said, the any statement would mitigate the risk of IP spoofing by your guest devices.

Like I said at the beginning I am opting to block all of theRFC1918 space because I do not know what subnets are in use. If you are telling me the only other subnets on your network are: 172.16.10.0/24, 172.20.0.0/24 and 10.50.10.0/24 then yes the ACL you suggesting in your last post is correct.

Cheers,

Seb.