Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL on DNS SRV

StratosGreece
Occasional Advisor

ACL on DNS SRV

Hi all,
I have a 5406zl L3 Switch.
I have configured my Vlans and I need an ACL that will
permit host 192.168.87.61 on Vlan 87 to login on my DNS server on another Vlan 80 (DNS SRV IP 192.168.80.1), and NOTHING else. Routing is done by the 5406
I have configured these ACL

OUT in VLAN 87
ip access-list extended "189"
20 permit tcp 192.168.80.1 0.0.0.0 0.0.0.0 255.255.255.255 established
30 permit udp 192.168.80.1 0.0.0.0 0.0.0.0 255.255.255.255
Exit

IN in VLAN 87
ip access-list extended "188"
19 permit udp 192.168.87.61 0.0.0.0 192.168.80.1 0.0.0.0
70 permit udp 192.168.87.61 0.0.0.0 192.168.80.1 0.0.0.0 eq 53
100 permit tcp 192.168.87.61 0.0.0.0 192.168.80.1 0.0.0.0 eq 445
200 permit tcp 192.168.87.61 0.0.0.0 192.168.80.1 0.0.0.0 eq 1026
210 permit tcp 192.168.87.61 0.0.0.0 192.168.80.1 0.0.0.0 eq 135
exit



But
1st host takes about a min to login
2nd My DNS SRV has all udp ports open to host

Could anybody give me an idea? Or an example
THANK YOU ALL…
6 REPLIES
StratosGreece
Occasional Advisor

Re: ACL on DNS SRV

On my host i have to wait before seesions are establishe
netstat -a
host:3104 DNS:epmap TIME_WAIT
host :3105 DNS:1026 TIME_WAIT
host:3115 DNS:microsoft-ds TIME_WAIT
host :3122 DNS:1026 TIME_WAIT
host :3136 DNS:epmap TIME_WAIT

i have this time w
Pieter 't Hart
Honored Contributor

Re: ACL on DNS SRV

>>>
OUT in VLAN 87
ip access-list extended "189"
20 permit tcp 192.168.80.1 0.0.0.0 0.0.0.0 255.255.255.255 established
30 permit udp 192.168.80.1 0.0.0.0 0.0.0.0 255.255.255.255
Exit
<<<
ACL is configured as "permit "
Host 192.168.80.1 is not a source in vlan87, but it is a destination in vlan80!
So these lines do nothing applied OUT to vlan87.
=> reconfigure this ACL.

StratosGreece
Occasional Advisor

Re: ACL on DNS SRV

Thanks for your response.
I donâ t see a great changeâ ¦
In my current configuration I donâ t use ACL extended 189 at all
But the problem still remains
My system logins after about a min
And I have all UDP ports to my DNS SRV open.


Thank you
Pieter 't Hart
Honored Contributor

Re: ACL on DNS SRV

please tell more about the network config.

Whats the subnetmask andd gateway of host 192.168.87.61
same for host 192.168.80.1
whats the ip-address/mask of the switch in vlan 87 and vlan 80

Is there any default-gateway or "route 0.0.0.0 ..." configured at the switch?
If so, to what device (firewall, router, ...)?
StratosGreece
Occasional Advisor

Re: ACL on DNS SRV

Well everything is done local on 5406, no firewalls, no routers.
Vlan 80 has my DNS Server
DNS IP 192.168.80.1/24
GW 192.168.80.11
And my host is on Vlan 87
IP 192.168.87.61/24
GW 192.168.87.11



thanx
StratosGreece
Occasional Advisor

Re: ACL on DNS SRV

any help?
thank you