Re: Vlan Based ACL - Page 2

faamin011 · ‎01-24-2013

I would like to implement one way ACL on VLAN means VLAN20 should communite to VLAN 10 but VLAN 10 wouldn't be able to initialize connection with VLAN20

ACL which is result oriented for me is

ip access-list extended ACL

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack

deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn

int vlan 10

ip address 10.23.23.1 255.255.255.0

ip access-group ACL in

int vlan 20

ip address 10.50.50.1 255.255.255.0

( Switch 3750x IP Services)

Roy Ros · ‎01-27-2013

Just as example you could try an extended acl with
Permit ip 10.10.10.0 0.0.0.255 any established

This way the 10.10.10.0/24 range may only communicate to "any" if "any" requested a connection.

For your situation. Edit the ACL you provided in the starting topic with the line
Permit ip 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 established

Sent from Cisco Technical Support iPad App

Elton Babcock · ‎01-26-2013

I don't see anything on the data sheets. We have some 3750G series in our lab that ill try the commands on to see if they exist or not.

Otherwise I would recommend reflexive ACLs or even regular ACLs that use the established keyword.

Being that traffic needs to be initiated in this secure VLAN only TCP traffic coming back from the unsecured VLAN is permitted if it has been established with the TCP 3 way handshake.

This doesn't apply to UDP traffic as it is connection less. You would need to specifically allow this traffic back through.

For a high security LAN it would really be best practice to implement an actual firewall device. ACLs will work just not as easy to work with as the requirements expand.

If you need some help actually writing some ACLs post some of your requirements and I can help.

Elton

Sent from Cisco Technical Support iPhone App

faamin011 · ‎01-27-2013

roy: tested your mentioned ACL but no success at all.

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 established

deny ip any any (4 matches)

10.23.23.0 subnet is able to communicate itself but not to 10.50.50.0 subnet and vice versa.

Elton, Hardware based firewall is recommended but I don't have right now and we have to do some thing on existing infrastructure which is 3750x IP Services L3 switch...

I think ACL can do this..

I thought this ACL but not tested yet. have a look..

If we want to stop VLAN 10 from opening connection to VLAN 20, then we need to block SYN from VLAN 10.

ip access-list extended test-in

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack

deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn

permit ip 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255

deny ip any any log

int vlan 20

ip access-group test-in in

All...Advice please

Elton Babcock · ‎01-27-2013

What type of traffic did you initiate? 4 matches makes me assume you did a ping from a Windows machine.

This traffic wouldn't be considers TCP traffic in the ACL and would be blocked. The problem with the current ACL is it doesn't care about ICMP and UDP traffic which essentially doesn't do the TCP handshake.

Sent from Cisco Technical Support iPhone App

faamin011 · ‎01-27-2013

yes you are right, i did ping..let me permit icmp then check again

Elton Babcock · ‎01-27-2013

If you really want it secured down you really need to determine what UDP and types of ICMP need to pass. In this case you could technically only permit the echo-reply back through.

Sent from Cisco Technical Support iPhone App

paul driver · ‎01-27-2013

Fared,

Paul, hope this clear, ur ACL will provide limited access for vlan 20 over 80/443/23, as vlan20 should have full access like over all port but vlan10 couldn't be make any connection toward vlan20.

This is incorrect - The acl will allow all tcp traffic from vlan 20 except protocols that require tcp/udp like DNS

Below is the revised acl from above which would be applied to just one vlan.

ip access-list extended vl10

permit tcp any 10.23.23.0 0.0.0.255 established

permit icmp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 echo

permit icmp 10.50.50.0 0.0.0.255 20.23.23.0 0.0.0.255 echo-reply

permit ip 10.50.50.0 0.0.0.255 x.x.x.x y.y.y.y ( internet access) as pointed out by Cadet alain

int vlan 10

ip access-group vl10 in

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

faamin011 · ‎01-27-2013

Ur ACL will act like this

10.50.50.0 ----> 10.23.23.0 (Allow TCP Connections only)

10.23.230 --- >10.50.50.0 (Deny return traffic)

10.23.23.0 <--> 10.50.50.0 (Allow ICMP)

but my desires like this

10.50.50.0 ----> 10.23.23.0 (All Traffic )

10.23.23.0 ----> 10.50.50.0 (Deny All Intitiated Connections)

what would be the ACE to acheive this,

faamin011 · ‎01-28-2013

ACL # 1

ip access-list extended vl10

permit tcp 10.50.50.0 0.0.0.255 10.23.23.0 0.0.0.255 established

permit icmp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 echo

permit ip 10.50.50.0 0.0.0.255 10.23.23.0 0.0.0.255

ACL # 2

ip access-list extended vl10

permit icmp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 echo

permit tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 ack
deny tcp 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255 syn
permit ip 10.23.23.0 0.0.0.255 10.50.50.0 0.0.0.255

Please advice, which one will work perfect according to scenerio

faamin011 · ‎01-28-2013

Pls respond

cadet alain · ‎01-29-2013

Try this config I already proposed you a few days ago and edit it accordingly to permit any traffic that is denied by the last ACE and logged and that you know is needed for 2 way reachability.

int vlan 10

ip access-group ACL in

ip access-list extended ACL

permit tcp any 10.50.50.0 0.0.0.255 any established

permit icmp any 10.50.50.0 0.0.0.255 echo-reply

permit icmp any 10.50.50.0 0.0.0.255 time-exceeded

permit icmp any 10.50.50.0 0.0.0.255 port-unreachable

deny ip any any log

Alain

Don't forget to rate helpful posts.