Switches, Hubs, and Modems
1748257 Members
3965 Online
108760 Solutions
New Discussion юеВ

Re: ACL Questions

 
Dan Elmbrook
New Member

ACL Questions

I have the need to create an ACL for what essentially is a public vlan which supports public wireless access. I would like it so that only certain services (HTTP, DNS, DHCP) are available to that public vlan from our private vlans and block the rest

What is the best way to go about doing this?

Thanks.
6 REPLIES 6
Olaf Borowski
Respected Contributor

Re: ACL Questions

Dan, what product are you using? If you are connecting to the public Internet you probably want a stateful firewall protecting the private side. You could write an ACL that only allows HTTP, DNS, and DHCP and apply it inbound to the switch but what about the replies from the Internet? You need to keep track of the source port (TCP port) of the wireless client to allow traffic back in. If you don't apply an ACL to the public side, you would be wide open, which is dangerous. A product like the ProCurve 7000dl series router will do the NAT and stateful firewalling for you.
Hope this helps,

Olaf
Dan Elmbrook
New Member

Re: ACL Questions

The network already has a firewall between our internet and private network. What I mean by public access is a private network that we will allow any user with a wireless laptop to access our network so they can use the internet.

We have 5406 with 6 vlans

1 Office
2 Phone
3 Server
4 WAN
5 Internet
6 Wireless

I want to block all access from wireless, except needed services like HTTP, DNS, DHCP, to the office, phone, server and wan vlans.

Hope that clears things up.
Mohieddin Kharnoub
Honored Contributor

Re: ACL Questions

Hi

You have to define an exact list you need to open then you can go ahead and create one Extended ACL opening these ports and apply it out (if i'm correct) to the Wireless Vlan:

SW(config)#ip access-list extended WLAN
SW(config-ext-nacl)#permit ip any any eq http
SW(config-ext-nacl)#permit ip any any eq dns
SW(config-ext-nacl)#permit ip any any eq ftp
SW(config-ext-nacl)#permit ip any any eq https
SW(config-ext-nacl)#permit ip any any eq dhcp
.
.
.
SW(config-ext-nacl)#deny ip any any
SW(config)#vlan 6 ip access-group WLAN out

Just replace serve name with port number if the service is not listed and be sure to configure or the services you need, then test the ACL by connecting to the Wireless Vlan, you should at least get an IP from a DHCP server.

There are other ways to do the same scenario here by different approaches.

Good Luck !!!
Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: ACL Questions

This document is very helpful:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf

Good Luck !!!
Science for Everyone
Sven Bergmann
Frequent Advisor

Re: ACL Questions

@Mohieddin Kharnoub

you wrote:

SW(config)#vlan 6 ip access-group WLAN out


your acl must be INBOUND, not outbound
Dan Elmbrook
New Member

Re: ACL Questions

I'm confused how this accomplishes what I am after. I don't want to limit anything to the interet VLAN, I will let my firewall handle those sort of issues.

I would like to block access to all over vlans from the wireless vlan.