Announcement

Collapse
No announcement yet.

Acccess Lists for VLANS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acccess Lists for VLANS

    OK maybe its cause it's Friday but, I really would like to get this done quickly and I cant think straight... its Friday.

    Anyway, I am in the process of implementing VLANS. And now on to the access-lists. Below is esentially my setup.

    Eth 0/0- 192.168.0.0
    Eth 0/1- VLAN Interface
    192.168.1.0 - Management VLAN ***All no restrictions
    192.168.20.0 – IT VLAN ***All no restrictions
    192.168.30.0 – Sales VLAN ***Only 0.0 Network
    192.168.40.0 – Accounting VLAN ***Only 0.0 Network
    192.168.50.0 – Administration VLAN ***Acct, Sales, 0.0 Networks
    192.168.60.0 – Operations VLAN ***0.0 Network
    192.168.70.0 – Guest VLAN ***Only 0.0 Network
    For starters, I am working with the IT Vlan and The guest VLAN. As you can see the IT VLAN will have no restrictions. But the guest VLAN. I want to only allow ports 80, 443, 110. Basically only internet and mail, so withtout deny statements to all other networks. Should I write 3 extended access lists stating to allow only that traffic.
    ie...
    access-list 101 permit....
    access-list 101 permit tcp any host 192.168.1.100 eq ftp
    or
    access-list 101 deny ip 192.168.70.0 0.0.0.255
    192.168.20.0 0.0.0.255 for all other vlans....
    All that for the most efficient and easy way to block guest vlan traffic to all other vlans..

    Thanks,
    Shimmy

    BTW...Happy Friday!
    Last edited by Shimmy; 28th August 2009, 16:28.

  • #2
    Re: Acccess Lists for VLANS

    Remember that there is an "implicit deny" statement at the end of an access list so you only need to state the traffic that you want to permit.

    access-list 101 permit tcp 192.168.70.0 0.0.0.255 192.168.0.0 0.0.0.255 eq 80
    access-list 101 permit tcp 192.168.70.0 0.0.0.255 192.168.0.0 0.0.0.255 eq 443
    access-list 101 permit tcp 192.168.70.0 0.0.0.255 192.168.0.0 0.0.0.255 eq 110
    Last edited by BigDeesDad; 28th August 2009, 16:32.
    Infrastructure Architect
    CCNA, CCNA Security, MCSE, JNCIS

    Comment


    • #3
      Re: Acccess Lists for VLANS

      On second thoughts I got that wrong...

      If you only want to allow ports 80, 443 and 110 from the Guest VLAN then it will be

      access-list 101 permit tcp 192.168.70.0 0.0.0.255 eq 80 192.168.0.0 0.0.0.255
      access-list 101 permit tcp 192.168.70.0 0.0.0.255 eq 443 192.168.0.0 0.0.0.255

      access-list 101 permit tcp 192.168.70.0 0.0.0.255 eq 110 192.168.0.0 0.0.0.255

      that will only permit traffic from the source ports of 80, 443 and 110 from the guest VLAN with all else denied.
      Infrastructure Architect
      CCNA, CCNA Security, MCSE, JNCIS

      Comment


      • #4
        Re: Acccess Lists for VLANS

        Someone is thinking on Friday....

        "Remember that there is an "implicit deny" statement at the end of an access list so you only need to state the traffic that you want to permit" forgot about that too..

        Thanks BigDees

        Comment


        • #5
          Re: Acccess Lists for VLANS

          No problem Shimmy..

          Anyway its 16:44 on a Friday, shouldn't you be at home by now.. mind you I can't talk, Im at home and still working
          Infrastructure Architect
          CCNA, CCNA Security, MCSE, JNCIS

          Comment


          • #6
            Re: Acccess Lists for VLANS

            Ok that worked Great, for the Guest VLAN. I have decided to move foward and get the access lists ready for the VLAN implementation. Again below is what im trying to accomplish and my setup:


            192.168.0.0-Eth0/0-Servers - Internet Gateways
            Eth0/1 - VLAN Interface
            192.168.1.1 - Management VLAN ***All no restrictions
            192.168.20.1 – IT VLAN ***All no restrictions
            192.168.30.1 – Sales VLAN ***Only 0.0 Network
            192.168.40.1 – Accounting VLAN ***Only 0.0 Network,
            192.168.50.1 – Administration VLAN ***Acct, Sales, 0.0 Networks
            192.168.60.1 – Operations VLAN ***0.0 Network
            192.168.70.1 – Guest VLAN ***Only 0.0 Network
            There has to be an easy way to configure these ACLs, so that Im not applying deny to each and every subnet that should not be accessed from other subnets. Of course all VLANS should be able to access the internet.
            Thansks for all your help!

            Comment


            • #7
              Re: Acccess Lists for VLANS

              Something just came to. For the 0.0 network would this statement work for the private VLANS to access it...

              ip accesss-list 0Network permit tcp any 192.168.0.0 0.0.0.255 (something like that) and then apply to the the 0/0 interface as an incoming acl

              would this work for the private vlans that need to access this network???
              Last edited by Shimmy; 28th August 2009, 21:15.

              Comment


              • #8
                Re: Acccess Lists for VLANS

                [quote= ip accesss-list 0Network permit tcp any 192.168.0.0 0.0.0.255 (something like that) and then apply to the the 0/0 interface as an incoming acl[/quote]

                This access list would allow any source range to access the 192.168.0.0/24 range but you would have to apply it as an output filter to interface 0/0 and not an input.. An input filter would effect the traffic coming into the router from the 0/0 interface and an output filter effects traffic coming from the router to the interface.

                Input - Ingress to the router
                Output - Egress from the router

                To make it more secure you would want something like:

                access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.0.0 0.0.0.255
                access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.0.0 0.0.0.255

                Extended access lists should always be applied as close to the source as possible so if you have already applied VLAN filters you could say that you dont need to apply one to the 0/0 interface. You will have already filtered the traffic from your VLANs.
                Last edited by BigDeesDad; 29th August 2009, 09:21.
                Infrastructure Architect
                CCNA, CCNA Security, MCSE, JNCIS

                Comment

                Working...
                X