Re: VLAN ACL's

edw · ‎08-19-2009

Hi,

I have a intreasting question. I have a Catalyst 6006 with MSFC card. I run, say 4 VLANS.

I want to, say, block VLAN 3 from the rest but allow say a VLAN 3 machine to access HTTPS and DNS. What is the best way and most secure way of doing it ? I seem to have to make two groups in and out on my router before traffic will flow ?

ip access-list standard Events

permit 10.1.3.0 0.0.0.255

deny 10.0.0.0 0.255.255.255

permit any

interface vlan 3

ip access-group Events in

ip access-group Events out

Seems a odd way to get a ACL to work ? Having to get in and out duplication??

Another one is say to lock it down better

ip access-list standard Events-IN

permit udp host 10.1.3.6 gt 1024 any eq domain

permit tcp host 10.1.3.6 any eq 443

deny ip 10.1.3.0 0.0.0.255 any

permit ip any any

ip access-list standard Events-OUT

permit udp any eq domain host 10.1.3.6 gt 1024

permit tcp any eq 443 host 10.1.3.6

deny ip any 10.1.3.0 0.0.0.255

permit ip any any

interface vlan 3

ip access-group Events-IN in

ip access-group Events-OUT out

Why do I have to do it like this - isn't this pointless ?? If I only do Events-IN no traffic seems to go through ?

Am I misunderstanding things ?

Thanks for any help

Ed

John Blakley · ‎08-19-2009

If you're really only concerned about your acl allowing traffic for https and dns from vlan 3 but nothing else, try:

ip access-list ext VLAN3

permit tcp 10.1.3.0 0.0.0.255 any eq https

permit udp 10.1.3.0 0.0.0.255 any eq domain

deny ip any any

Apply it inbound on VLAN3 only.

int vlan3

ip access-group VLAN3 in

If you're using the outbound acls on your svi, try taking them off if you're using them for this purpose and nothing else.

HTH,

John

HTH, John *** Please rate all useful posts ***

edw · ‎08-25-2009

Hi,

Thanks for the reply. However when I try to place a incoming data packet I have to place in the both directions.

How would some one say have https coming from the vlan and say VNC going into the vlan ?

Thanks

Ed

johnspaulding · ‎08-19-2009

You can also apply something like this.

ip access-list ex VLAN_3_FILTER

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 53

permit tcp any eq 53 any

vlan access-map VLAN_3_MAP 10

match add VLAN_3_FILTER

action forward

vlan access-map VLAN_3_MAP 20

action drop

vlan filter-list VLAN_3_MAP vlan 3

Of course, You can be more specific with the ACL but thats just an example.

edw · ‎08-25-2009

Hi,

Thanks for the reply. However when I try to place a incoming data packet I have to place in the both directions.

How would some one say have https coming from the vlan and say VNC going into the vlan ?

Thanks

Ed

edw · ‎09-07-2009

Hi,

Does anyone have any pointers on this as I'm confused ?

Thanks

Ed

mattwilsonuk · ‎09-07-2009

exaclty as above

permit tcp any any eq www

permit tcp any eq www any

permit tcp any any eq 53

permit tcp any eq 53 any

permit tcp any any eq 5900 (or whatever you use for vnc)

edw · ‎09-07-2009

Hi,

Okay - what I don't understand is - that on a ACL on a PIX firewall I only have to make the entry of the traffic going out. IE if I was a client on the vlan I would only need to have

permit tcp any any eq www

So why do I also have to have the reverse ?

permit tcp any eq www any ?? The logic doesn't seem to be this is just duplicating work loads ?

Thanks

Ed

mattwilsonuk · ‎09-07-2009

you can allow the traffic out of the vlan, without adding the reverse the traffic will never get back to the pc and will be dropped with the "action drop" command as mentioned by John previously

vlan access-map VLAN_3_MAP 20

action drop

Cheers

Matt

edw · ‎09-07-2009

Hi,

Thanks again for making this clearer.

Okay so everytime I have to add an outgoing connection such as www I have to also add the reverse of this.

Is this not a security flaw in the design. This would mean a internal vlan PC needs to access the internet ( 0.0.0.0 - any etc) I have to add the reverse for it coming in. Which in turn means anyone on another vlan etc which has the same privledges, IE access to any, could get into the internal webserver of that machine??

My problem in my mind is, for a system it seems overly complicated and mass of admin and pron to user errors and also problems.

Why is it different from a PIX style ACL? A PIX would automatically open the incoming part of those packets therefore a PIX is much more secure?

Thanks

Ed

mattwilsonuk · ‎09-07-2009

The pix uses CBAC to open the port dynamically I think.

You wouldn't give the vlan access to the internet, just tweak the access-list to allow certain ports to talk to your proxy server etc then reverse to allow the proxy server to talk to the internal ips.

You are however correct,

the command

permit tcp any any eq www

will permit traffic in both directions using port 80

you need to use in both directions when you are gettin granular with the server addresses you wish to use etc

IE

permit tcp 192.168.0.1 0.0.0.255 any eq www

this will only allow traffic out and will not permit the traffic back in.

Regards

Matt

edw · ‎09-07-2009

Okay - so to clarify using say

permit tcp 192.168.0.1 0.0.0.255 any eq www

ww would not work unless I added

permit tcp any eq www 192.168.0.1 0.0.0.255

Thanks

Ed

johnspaulding · ‎09-07-2009

to clear things up a little. The purpose of a VACL is so you can permit or deny traffic INSIDE your VLAN itself (machine in the same layer 2 domain). When you said "deny vlan 3 and permit dns etc...I took this as something you wanted. If you are just looking for traffic going in and out of VLAN 3 than you can just use "ip access group OUTSIDE out/ INSIDE in statement on the VLAN 3 SVI. If you just worried about inbound traffic than just use an access-group inbound on the VLAN. a Cisco pix would use Zone based firewall services. It inspects traffic going outbound and permits it back in dynamically. Let me know if this answered you questions. Let me know if I can be of more assitance. thanks

edw · ‎09-07-2009

Hi,

I really want for instance to lock a vlan down so that the internal PC's in that vlan can access a NTP and DNS. But people on another vlan for instance can access VNC on those PC's(5090 i think from memory)

Thanks for helping clear my muggled mind ( I have read all the Cisco blurb and do use alot of Cisco but hey perhaps I've just read to much ;))

Thanks

Ed

mattwilsonuk · ‎09-07-2009

oh yeah... course it is ;-)

overcomplicated it in my head too

tho, with the ACLS you will need to explicitly permit both ways if you restrict it fully using source and dest addresses.

Matt