ACL on 4507R VLANs
Hi All,
I wanted to implement a Security ACL on VLAN for 4507R (IOS 12.24 EWA) i.e. I want to regulate the traffic to and from from the VLANs.
However when I implemented the normal Extended ACL I was surprized to find that it was not acting as it should on a Routed Port or L-2 Port.
However when cross checked in the config guide, I guess that its a VLAN MAP that needs to be used rather than a normal ACL to filter traffic to and fro on a VLAN in 4507R.
Am I correct over here or am I missing something out there?
Any help would be appreciable.
Kind Regards,
Wilson Samuel
Hi Bosalaza,
My query is:-
1. Is VLAN Map the only answer to filter traffic in 4507s??
2. Wont the traditional ACL implementation work in 4507s??
Regards,
Wilson SAmuel
Similar Messages
-
Hello !!
We have a Switch Catalyst 3550 - 12G
IOS : Version 12.2(25)SEA
I need to implement ACL security in VLAN's. But, it did't work.
VLAN 11 Definition :
interface Vlan11
description VLAN - RED WAN
ip address 192.168.21.1 255.255.255.0
Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
interface GigabitEthernet0/7
switchport access vlan 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode dynamic desirable
ip access-group ip1 in
ACL definition :
ip access-list extended ip1
permit ip 192.168.70.0 0.0.0.255 any
deny ip any any
This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
Inter VLAN communication are ok.
Any Suggest ?
.... Switch Conf. attach
Tks.
John Nanez E.Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .
-
I am trying to setup a home network for myslef for practice basically that has two VLANs. One will be a secure VLAN with servers, domain access, etc. The other will just be an internet access VLAN.
I have an internet gateway, but only one, that needs to be shared by both VLANs. Currently I have everything setup fine so that I can access the internet from either VLAN. The only problem is I think by opening a link between them to share the internet connection I am also opening s ecurity risk. I need an ACL to allow only internet traffic from the seocnd VLAN to be passed thorugh.
My problem has been that anything I have tried either allows nothing to pass, or everything to pass. I was trying to do just a permit from any host to any host on http, and deny everything else.
Thanks for any help.I have another question for you:
you said that you need to access server on 192.168.1.0/24 , from which subnet? are you connected on the same vlan? or coming from the internet?
somewhere in this network you are doing NAT right? so to get in , you would need a static NAT or outside NAT.
So, if you are coming from internet I think you'd need to set and ACL to permit only the IP you have.
But I guess you're inside vlan 1 192.168.1.0/24, so basically you need to restric traffic from 192.168.2.0/24 to reach 192.168.1.0/24.
You need an ACL on the fa0.2 blocking traffic like this:
ip access-list extended sec-traffic-out
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit any any
int fa0.2
ip access-group sec-traffic-out in
I guess what could be confusing you is that your INTERNET gateway is on 192.168.1.0/24, but outgoing internet traffic will have layer3 destination addresses on a different subnet , like 200.0.0.0/8, so, it wont be blocked by the ACL.
HTH,
if it does, please rate this post,
Vlad
BTW, I think you dont need :
ip default-gateway, as its used when you dont have routing configured (no ip routing).
also ip defaul-network have specific use, I'm not sure you'd need it here too. -
Hi all and Merry Christmas to you.
So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
My lab look like this:-
Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
VLANs are: -
interface Vlan5
description *****DATA VLAN*****
ip address 192.168.5.253 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan6
description *****Servers*****
ip address 192.168.6.254 255.255.255.240
interface Vlan7
description *****VOICE*****
ip address 192.168.7.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan8
description *****VOICE WIFI*****
ip address 192.168.8.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan9
description *****WIFI CONSOLES*****
ip address 192.168.9.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan10
description *****WiFi Home*****
ip address 192.168.10.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan11
description *****WiFi Guest*****
ip address 192.168.11.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan12
description *****Management*****
ip address 192.168.12.254 255.255.255.240
The AP config looks like:
dot11 ssid Console
vlan 9
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 094F4107170A051103
dot11 ssid Home
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
mbssid guest-mode
interface Dot11Radio0.9
encapsulation dot1Q 9
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 9 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.12
encapsulation dot1Q 12 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
Hope you can help me out.
Happy new year
MartynHere is a suport document in regards to autonomous ACL:
https://supportforums.cisco.com/docs/DOC-13768
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.
A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces. -
SFE2000 & ACL to stop VLAN traffic
Hi All,
I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
Additional VLAN's are:
VLAN2 192.168.102.x To be used for guest wireless access
VLAN3 192.168.103.x
VLAN4 192.168.104.x
I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
Can any one draw any light to a managed switch newbie
Thanks in advance
JamesI was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
Hope this helps others with their setup. -
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
We are used Cisco 3750 Layer 3 Switch and linksys switch at Layer 2 level.
We are used total 10 VLAN, We want block all inter-vlan communication, So no body can access inter vlan .
All vlan can access server vlan
Thanks
Dinesh ChavanDinesh Chavan
Based on what you have told us one solution would be to configure an access list for each of the SVIs on your 3750 switch and apply it on the inbound direction for the interface. In the access list you would permit packets with source address in the vlan of that interface a destination of the server vlan. You would deny all other traffic. This would allow each vlan to communicate with the server vlan but not with any other vlan.
HTH
Rick -
ACL applied to Vlan interfaces
I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
Is there some method to quickly know when these ACL should be applied in one direction or another?
Thanks for your time.It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.
-
I need to create ACL to control access to 17 vlans
Hi,
we have created vlans based on departments, each department has its own vlan. as a result we have close to 17 vlans and this is in one site. we have 5 sites where all these vlans exist but with different subnets. my question has two parts:
1> I need ideas on what to block and what to permit? for example block all vlans from accessing all vlans except the server vlan, block all vlans from accessing storage vlan, allow internet traffic. permit the management vlan to access all vlans in one direction.
2>now i have to write access lists for each vlan, is there a way to ease the burden of creating 17*5 ACLs? for example create a generic acl and another one specific, but can I apply two access lists to one vlan at the same time.Firs of all, 17 vlans is too much.. I don't think ther's real need so such a segregation. Are those all 17 departments should have their traffic separated from each other? Yeah, there's is might be couple departments with some highly secure traffic, but others probably can go in one VLAN. If no, then having 17 vlans with ACL on each, it's gonna be a real pain managing them.. But if it's already done, i may suggest to use some ACLs to protect really valuable resources from those, who shouldn't have access to them. For example you defenitely should have ACL on your server's VLAN and Storage VLAN. You can apply ACLs on this VLANs in outbound direction and be really granular in what you permit there and what is prohibited. Second, you can apply the same for your management VLAN, cause it's the other one with great value. But do you really have to restrict access from department A to department B if they kinda "have no secrets from each other"?. So my point is that your decision should be based on what you're really going to protect but not based on the fact that you're trying separate everything from everything just for fun). Cause again, if you separate everything with highly granular rules (i.e. host 1 from dep A should be allowed to host 1 from dep B but not host 2 from dep B, etc for other departments) this all ruleset will be unmanagable. Things should be kept as simple as possible.
-
I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .
This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
Hope this helps, -
Interface vlan - ACL - pinging issues.
I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
so, what we have is:
UD-1 UD-1B
UA
Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
So , why is this happening?
configs:
UD-1A:
interface Vlan185
ip address 10.8.185.3 255.255.255.0
interface Vlan225
ip address 10.18.225.3 255.255.255.0
ip access-group ud1 in
int gi1/1
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
UD-1B
interface Vlan185
ip address 10.8.185.4 255.255.255.0
interface Vlan225
ip address 10.18.225.4 255.255.255.0
ip access-group al_rpf_sre_ud1_pro in
interface GigabitEthernet4/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface Vlan185
ip address 10.8.185.7 255.255.255.0
ip access-group ro in
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
so, when I ping 10.8.185.7
I get:
GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
anybody?Hello Paresh,
thanks for replying.
But, actually I dont think this is what happening.
Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
Let me give you the configs:
uplinks:
interface GigabitEthernet3/1
no switchport
ip address 10.18.192.26 255.255.255.252
And the core are doing load-balancing to reach the UA.
So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
Not sure if this is helping.
If you need any other info let me know.
this is killing me. -
Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
loadbalance vip inservice
loadbalance policy Internet-FMP
loadbalance vip icmp-reply active
Hope this helps!
Pablo -
HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
SunnyHi Jon,
I was working on the ACL for the above issue. i have found the below thigs-
int vlan 1
des Routing vlan
ip 172.16.1.1 255.255.255.0
ip access-group 110 in
int vlan 10
des server vlan
ip 172.16.10.1 255.255.255.0
int vlan 11
des Users
ip add 172.16.11.1 255.255.255.0
ip access-group 100 in
acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
what i understood,
for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
If i call inbound means the traffic coming in to that vlan initerface from Outside
If i call outbound means the traffic that going out through that interface.
so i ddint call any acl in outbound direction as of now.
Dear Jon, thanks for taking time to describing the scenario in detail before.
please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
Thanks and Regards
Suuny -
300-28 Switches ACL Problem (Lack of Hardware Error)
Hi!
I am using SG300-28 switches in Layer 3 mode. I have 15 Vlans created and routing. I have 3 ACLS applied on the 5 VLANs.
I am facing problem while adding another ACL in the VLAN interface error is (Lack of Hardware resources).
I don't know what is the problem, I am worried about it. Please help in this.
I have also updated my switch to latest firmware e.g.1.4.0.88hi
seems you've reached maximum number of ACL entries for switch (512). Please:
how many ACLs you have configured in total?
how many entries have each applied access list on your switch?
you can also check available resources with command "show system resources tcam"
Maybe you are looking for
-
Problem with becomeFirstResponder and keyboard
Hi all, I wonder why on its first call, my (modal) view controller works fine and the UITextField receives the 'becomeFirstResponder' message, has focus (i.e. the call does work!) but keyboard is not shown!! Has anyone experienced this? In subsequent
-
I can see the library of photos in Aperture so I know the photos are still there and still organized, but I'm unable to see them in iPhoto after switching to a different library, then trying to go back - where is that library? Its not listed. The des
-
Hi All Please send me some reading material for brief idea regarding ALE/IDOC/EDI. Thanks Goutam
-
Hello, I'm using the net.http.request in a javascript file in the javascripts folder of the Acrobat X pro and Acrobat reader but it does not work on reader. On Acrobat X pro there are no problems, how do I manage to make it work on reader? Thank you
-
HI my name is sameeralam I am using iPad old model no. Is MB294ZP version 5.1.1(9b206) SN.no GB033QCEZ3A I am unabletoinstall any apps cos iPad need update iOS 7pls tell me how can I install any apps without update version pls replymeas soon as possi