Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 12
Registered: ‎02-01-2011

ACL on routed VLAN

Have a project that requires specific hosts on a vlan to be secure from the remaining traffic on a pre-existing VLAN (with servers and clients).

Is there any way to keep do this thru ACL's without impacting the rest of the traffic on the VLAN??

Thanks..

Contributor
Posts: 54
Registered: ‎01-27-2010

Re: ACL on routed VLAN

So the project won't let you put the secured hosts on their own vlan...OK.

Let's assume your vlan is 1.1.1.0/24, and you want to protect two hosts, 1.1.1.5 and 1.1.1.10.  They are connected to ports 1/47 and 1/48.

Since FastIron devices only support inbound ACLs, you'll need to apply the ACL to every active non-protected port on the same vlan, at least on the same switch.

ip access-list extended offlimits
deny ip any host 1.1.1.5
deny ip any host 1.1.1.10
permit ip any any

interface ethernet 1/1 to 1/46
ip access-group offlimits in

Occasional Contributor
Posts: 12
Registered: ‎02-01-2011

Re: ACL on routed VLAN

Thanks.

I will try this over the weekend..

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on routed VLAN

the ACL would stop the two hosts, 1.1.1.5 and 1.1.1.10  from talking to the rest of the VLAN.  but would not stop the the rest of the VLAN computers talking to them.  Is this what you are after?

If you need to cpmlety stop all traffic you would need another ACL with a deny of the rest of the host applied to the two ports that 1.1.1.5 and 1.1.1.10 are connected to .

Thanks

Michael.

Contributor
Posts: 54
Registered: ‎01-27-2010

Re: ACL on routed VLAN

Michael,

??

In the example, pretend I'm on port 1.  Port 1 will deny inbound ip traffic where source=any and dest=(the two protected IPs).  The hosts with those IPs are on ports 47 and 48.

Why won't that ACL prevent me from talking to the protected IPs?

Paul

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on routed VLAN

Hi Paul,

     It is an inbound ACL, so no packets from the two protected host will be delivered to your host on port 1.

     However you can send packets to the protected host. .e.g UDP will work. of couse anything that requests ANY packets to be send back from the protected hosts will be dropped by the ACL.

Thanks

Michael.

Contributor
Posts: 54
Registered: ‎01-27-2010

Re: ACL on routed VLAN

Hi Michael,

I think we must be seeing this one differently somehow.  An inbound ACL controls what may enter a port, right?  If every non-protected port (1 thru 46) has the same inbound ACL described earlier, no device on those ports can send any IP traffic past the ACL to the IPs of the protected devices.

And since udp, tcp, icmp are all part of ip, if the ACL works as advertised then all IP traffic to the protected devices will be blocked.  Non-IP packets like wake-on-LAN, IPX or LAT could certainly be sent, but will only be received if the protected devices are listening for them.  

I'm not trying to suggest that blocking IP traffic is the same as creating a separate VLAN, or that this approach provides complete isolation, only that the ACLs may give sufficient protection to meet the asker's requirements.

Thanks.

Paul

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on routed VLAN

Hi Paul,

"An inbound ACL controls what may enter a port, right?" - Yes.

"If every non-protected port (1 thru 46) has the same inbound ACL described earlier, no device on those ports can send any IP traffic past the ACL to the IPs of the protected devices." - No as it is inbound only, they can send any traffic out.  You would need either have an outbound ACL also applied for that (this swiches only supports inbound) or place another inbound ACL rule on the two ports that we want to protect.

   

see example below

FastIron(config)#ip access-list standard Net1

FastIron(config-std-nACL)#deny host 209.157.22.26 log

FastIron(config-std-nACL)#deny 209.157.29.12 log

FastIron(config-std-nACL)#deny host IPHost1 log

FastIron(config-std-nACL)#permit any

FastIron(config-std-nACL)#exit

FastIron(config)#int eth 1/1

FastIron(config-if-e1000-1/1)#ip access-group Net1 in

The commands in this example configure a standard ACL named “Net1”. The entries in this ACL deny packets from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is “deny”, the last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.

But we are not too sure how the poster really wants it to work. I was just stating it may need extra ACL if they needed to make it more secure. (though a firewall would of course be better:) ).

Contributor
Posts: 54
Registered: ‎01-27-2010

Re: ACL on routed VLAN

Ah....thanks for the example.  Perhaps I see where our understandings differ.

1.  Not sure if we agree here, but "inbound" is from the switch's perspective.  If I plug into port 1, the inbound ACL on port 1 controls what I can send into the switch, and therefore to the rest of the network.  Cisco has a decent description of inbound & outbound router ACLs on Slide 6 at http://www.cisco.com/web/learning/le31/le46/cln/qlm/CCNA/icnd2/introducing-access-control-list-operation/player.html   While an FCX only supports inbound (and can run as a switch and/or a router), I believe the description is accurate.

2.  A standard ACL can reference only the SOURCE ip address.  So yes, if it were a standard ACL, it would be unable to keep me on port 1 from sending packets to the protected IP without also keeping me from sending packets to all other IP addresses (it would deny my SOURCE IP).

   However, the ACL given was an extended ACL.  These can filter by Source, by Destination, and also by protocol if you like.   And "Destination" comes in handy here. So when we apply to a port an inbound ACL like

ip access-list extended offlimits
deny ip any host 1.1.1.5

permit ip any any

it will block packets FROM any ip address connected to the port TO only the host with the IP 1.1.1.5.  At least, that's how they work in my shop!

Agreed, we're not sure what the poster really wants.  But if he wants to keep the protected IP's from being reached by any IP traffic from devices on ports 1 thru 46, I think the example will do the trick.

Paul

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on routed VLAN

Hi Paul,

     You are correct - I had my inbound around the wrong way.  Thansk for setting me straight on that.

     So I need to reverse my point

     Traffic from the protected two IP's is not blocked to the to the rest of the ports.  Though no replies or ACKs can get back to the protected IP's.  As stated at the start, that may be enough for the poster (we do not know).

     If he/she wants to block traffic in that direction then a second ACL could be applied to the two ports that the protected IP's are plugged into.

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook