- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- ACL question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-06-2008 10:50 AM
тАО11-06-2008 10:50 AM
My question is in regards to a 5412zl running firmware 13.25.
I'm a little confused as to which ACL to use for controlling access between vlans. For simplicity's sake I'm just going to ask about a portion of my config and should be able to figure the rest out.
I have vlan 5 called "225security" that I'm trying to isolate from vlan 4 (224servers) and vlan 6 (226workstn). Basically 224 is for servers, 226 is for workstations - 224 and 226 should be able to freely communicate with each other. I want to keep 225 separate with the exception of one machine (IP 192.7.225.8) needing to be able to reach 192.7.224.6 and vice versa.
The vlans currently set up in the config are all set as inbound RACLs. I am trying to go by the principle of "block everything and poke holes for what you need".
Please provide any recommendations/insight on how to do what I have described above. I am particularly confused about whether to use RACLs for controlling the routed traffic between vlans or VACLs for the switched and routed traffic.
Our SonicWALL router/firewall will be controlling the traffic entering the switch, however I'm using routing on the 5412 to control traffic within the vlans and exiting the switch.
If any more information is needed please let me know. Thank you for any help that you can provide.
Please see the attached config.txt file for the full running config.
Ryan
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-07-2008 12:56 AM
тАО11-07-2008 12:56 AM
Re: ACL question
I want to keep 225 separate with the exception of one machine (IP 192.7.225.8) needing to be able to reach 192.7.224.6 and vice versa.
at first glance adding
permit ip 192.7.225.8 0.0.0.0 192.7.224.6 0.0.0.0 to "ACL225"
permit ip 192.7.224.6 0.0.0.0 192.7.225.8 0.0.0.0 to "ACL224"
would do allow trafic between these single hosts.
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-07-2008 07:26 AM
тАО11-07-2008 07:26 AM
Re: ACL question
Does the overall configuration look good though? Do you see any problems with using RACLs instead of VACLs in this situation? I have ip routing enabled on the switch, but no routes setup between the vlans so does that mean the traffic is switched between the vlans?
Another question: Port A2 (on vlan221 and "ACL221" applied to it) will be the "uplink" port so to speak coming from our SonicWALL router/firewall that handles internet traffic. All traffic will be passing through this port when entering/leaving the switch to/from the Internet. What routes, if any, need to be setup on the switch and the SonicWALL to allow communication between the two and route the traffic to the appropriate vlans?
Thanks again for any help you can provide!
Ryan
I have attached the latest version of the switch config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-07-2008 07:39 AM
тАО11-07-2008 07:39 AM
Re: ACL question
To communicate between vlans something extra must be done. This is done by adding a router or a gateway to pass trafic on layer-3.
On the switch you must configure a default route (0.0.0.0 mask 0.0.0.0 to the sonic).
On the firewall you must add routes for the different vlans to the ip adress of the switch as distributionpoint (router) within the local network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-07-2008 09:34 AM
тАО11-07-2008 09:34 AM
Re: ACL question
What would the static route statement look like on the switch?:
"ip route 192.7.221.0/24 0.0.0.0 0.0.0.0"
And then would I need to add the following on the SonicWALL?:
"ip route 0.0.0.0 0.0.0.0 192.7.221.0/24
Do you have any recommendations on the ACL configuration? Can you advise on whether I should be creating and assigning separate ACLs for inbound and outbound traffic or is how I have it setup sufficient?
As always, thank you again for the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2008 01:03 AM
тАО11-08-2008 01:03 AM
Re: ACL question
the switch has adress 192.7.221.254, the sonic has an adress in the same subnet (say 192.7.221.1)
so on the switch default route to sonic
ip route 0.0.0.0 0.0.0.0 192.7.221.1
on the firewall default route to internet
ip route 0.0.0.0 0.0.0.0
and routes to the other subnet via the switch
ip route 192.7.224.254 255.255.255.0 192.7.221.254
ip route 192.7.226.254 255.255.255.0 192.7.221.254
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-15-2008 02:58 PM
тАО11-15-2008 02:58 PM
Re: ACL question
I am trying to apply an inbound RACL to VLAN226, but when I do so, all traffic gets interrupted between 226 and other vlans (including VLAN221 which contains 192.7.221.1 for the main SonicWALL router - the only device in VLAN221).
Below is output from "sh access-list config":
ip access-list extended "ACL224"
10 permit ip 192.7.224.6 0.0.0.0 192.7.225.8 0.0.0.0
20 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.224.0 0.0.0.255 192.7.224.0 0.0.0.255
40 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
exit
ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
20 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
exit
ip access-list extended "ACL225"
10 permit ip 192.7.225.8 0.0.0.0 192.7.224.6 0.0.0.0
20 permit ip 192.7.225.8 0.0.0.0 192.7.221.0 0.0.0.255
30 permit ip 192.7.225.0 0.0.0.255 192.7.225.0 0.0.0.255
exit
ip access-list extended "ACL221"
10 permit ip 192.7.221.0 0.0.0.255 192.7.225.8 0.0.0.0
20 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
40 permit ip 192.7.221.0 0.0.0.255 192.7.221.0 0.0.0.255
exit
I am attempting to do the following:
--Allow all traffic to/from vlan 221 (main uplink) to vlans 224, 226, and one workstation (192.7.225.8) to/from vlan 225.
--Allow traffic to/from 192.7.225.8 to 192.7.224.6 but nothing else on vlan 224.
--Allow all machines on a given subnet to contact all other machines on their same subnet. (ie. 224 to everything else on 224)
Please assist me in attempting to figure out whether to use RACLs or VACLs and whether to apply them inbound or outbound.
Thank you to anyone who can provide assistance.
Ryan
I have also attached the full config file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2008 12:30 AM
тАО11-17-2008 12:30 AM
Re: ACL question
in the new config you miss the statements
ip access-group "ACL221" in
for all vlan's.
Is that what you mean by "everything works accept the acls's".
Did you leave these statements out because the acl's don't work, or do you see unwanted traffic allowed, but missed that you didn't apply the acl's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2008 12:38 AM
тАО11-17-2008 12:38 AM
Re: ACL question
10 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
20 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
exit
you also need to allow return traffic wich is also INcomming to the vlan
ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
50 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 4)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2008 01:04 AM
тАО11-17-2008 01:04 AM
Re: ACL question
Yes you are correct, I had taken out my "ACL in" statements because they were causing problems. I am doing more testing and trying to understand them better before reapplying them.
To quote your previous statement:
"ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
50 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 4)"
Do I apply that ACL as an inbound or outbound ACL for that vlan? Would I use the statement "ip access-group ACL226 in" or "ip access-group ACL226 out"? Or is there a way to apply that ACL to that vlan in that the ACL itself would control inbound/outbound traffic (instead of me telling it in our out).
So to create the ACL for 224 vlan I would then create one as follows?:
ip access-list extended "ACL224"
10 permit ip 192.7.224.0 0.0.0.255 192.7.224.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
50 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
(from/to vlan 6)
And then for 221 I would do the following?:
ip access-list extended "ACL221"
10 permit ip 192.7.221.0 0.0.0.255 192.7.221.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
(from/to vlan 4)
40 permit ip 192.7.221.0 0.0.0.255
192.7.225.0 0.0.0.255
50 permit ip 192.7.225.0 0.0.0.255
192.7.221.0 0.0.0.255
(from/to vlan 5)
60 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
70 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
(from/to vlan 6)
I originally stated that I wanted 225.8 to allow traffic to 224, 226, and 221 but block all other 255 traffic but for now I'm wanting to leave the entire 225 subnet open.
Thanks again,
Ryan