Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL question

SOLVED
Go to solution
Ryan_D
Advisor

ACL question

Hello,

My question is in regards to a 5412zl running firmware 13.25.

I'm a little confused as to which ACL to use for controlling access between vlans. For simplicity's sake I'm just going to ask about a portion of my config and should be able to figure the rest out.

I have vlan 5 called "225security" that I'm trying to isolate from vlan 4 (224servers) and vlan 6 (226workstn). Basically 224 is for servers, 226 is for workstations - 224 and 226 should be able to freely communicate with each other. I want to keep 225 separate with the exception of one machine (IP 192.7.225.8) needing to be able to reach 192.7.224.6 and vice versa.

The vlans currently set up in the config are all set as inbound RACLs. I am trying to go by the principle of "block everything and poke holes for what you need".

Please provide any recommendations/insight on how to do what I have described above. I am particularly confused about whether to use RACLs for controlling the routed traffic between vlans or VACLs for the switched and routed traffic.

Our SonicWALL router/firewall will be controlling the traffic entering the switch, however I'm using routing on the 5412 to control traffic within the vlans and exiting the switch.

If any more information is needed please let me know. Thank you for any help that you can provide.

Please see the attached config.txt file for the full running config.

Ryan
14 REPLIES
Pieter 't Hart
Honored Contributor

Re: ACL question


I want to keep 225 separate with the exception of one machine (IP 192.7.225.8) needing to be able to reach 192.7.224.6 and vice versa.


at first glance adding
permit ip 192.7.225.8 0.0.0.0 192.7.224.6 0.0.0.0 to "ACL225"
permit ip 192.7.224.6 0.0.0.0 192.7.225.8 0.0.0.0 to "ACL224"

would do allow trafic between these single hosts.

Pieter
Ryan_D
Advisor

Re: ACL question

Thanks for the info. I have added those statements and it appears to be working fine.

Does the overall configuration look good though? Do you see any problems with using RACLs instead of VACLs in this situation? I have ip routing enabled on the switch, but no routes setup between the vlans so does that mean the traffic is switched between the vlans?

Another question: Port A2 (on vlan221 and "ACL221" applied to it) will be the "uplink" port so to speak coming from our SonicWALL router/firewall that handles internet traffic. All traffic will be passing through this port when entering/leaving the switch to/from the Internet. What routes, if any, need to be setup on the switch and the SonicWALL to allow communication between the two and route the traffic to the appropriate vlans?

Thanks again for any help you can provide!

Ryan

I have attached the latest version of the switch config.
Pieter 't Hart
Honored Contributor

Re: ACL question

Use of vlans is the way to separate trafic on layer-2 (switching) of the layered network-design. So trafic is never switched between vlan's.
To communicate between vlans something extra must be done. This is done by adding a router or a gateway to pass trafic on layer-3.
On the switch you must configure a default route (0.0.0.0 mask 0.0.0.0 to the sonic).
On the firewall you must add routes for the different vlans to the ip adress of the switch as distributionpoint (router) within the local network.
Ryan_D
Advisor

Re: ACL question

Great, thank you for your help Pieter.

What would the static route statement look like on the switch?:

"ip route 192.7.221.0/24 0.0.0.0 0.0.0.0"

And then would I need to add the following on the SonicWALL?:

"ip route 0.0.0.0 0.0.0.0 192.7.221.0/24

Do you have any recommendations on the ACL configuration? Can you advise on whether I should be creating and assigning separate ACLs for inbound and outbound traffic or is how I have it setup sufficient?

As always, thank you again for the help.
Pieter 't Hart
Honored Contributor

Re: ACL question

no,
the switch has adress 192.7.221.254, the sonic has an adress in the same subnet (say 192.7.221.1)
so on the switch default route to sonic
ip route 0.0.0.0 0.0.0.0 192.7.221.1

on the firewall default route to internet
ip route 0.0.0.0 0.0.0.0
and routes to the other subnet via the switch
ip route 192.7.224.254 255.255.255.0 192.7.221.254
ip route 192.7.226.254 255.255.255.0 192.7.221.254
Ryan_D
Advisor

Re: ACL question

Ok, I have the switch in place and everything is working fine except the ACLs; which takes me back to the original problem.

I am trying to apply an inbound RACL to VLAN226, but when I do so, all traffic gets interrupted between 226 and other vlans (including VLAN221 which contains 192.7.221.1 for the main SonicWALL router - the only device in VLAN221).

Below is output from "sh access-list config":

ip access-list extended "ACL224"
10 permit ip 192.7.224.6 0.0.0.0 192.7.225.8 0.0.0.0
20 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.224.0 0.0.0.255 192.7.224.0 0.0.0.255
40 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
exit
ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
20 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
exit
ip access-list extended "ACL225"
10 permit ip 192.7.225.8 0.0.0.0 192.7.224.6 0.0.0.0
20 permit ip 192.7.225.8 0.0.0.0 192.7.221.0 0.0.0.255
30 permit ip 192.7.225.0 0.0.0.255 192.7.225.0 0.0.0.255
exit
ip access-list extended "ACL221"
10 permit ip 192.7.221.0 0.0.0.255 192.7.225.8 0.0.0.0
20 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
40 permit ip 192.7.221.0 0.0.0.255 192.7.221.0 0.0.0.255
exit

I am attempting to do the following:

--Allow all traffic to/from vlan 221 (main uplink) to vlans 224, 226, and one workstation (192.7.225.8) to/from vlan 225.

--Allow traffic to/from 192.7.225.8 to 192.7.224.6 but nothing else on vlan 224.

--Allow all machines on a given subnet to contact all other machines on their same subnet. (ie. 224 to everything else on 224)

Please assist me in attempting to figure out whether to use RACLs or VACLs and whether to apply them inbound or outbound.

Thank you to anyone who can provide assistance.

Ryan

I have also attached the full config file.

Pieter 't Hart
Honored Contributor

Re: ACL question

Ryan, i don't understand the current problem.

in the new config you miss the statements
ip access-group "ACL221" in
for all vlan's.

Is that what you mean by "everything works accept the acls's".

Did you leave these statements out because the acl's don't work, or do you see unwanted traffic allowed, but missed that you didn't apply the acl's.

Pieter 't Hart
Honored Contributor

Re: ACL question

ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
20 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
exit

you also need to allow return traffic wich is also INcomming to the vlan

ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
50 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 4)
Ryan_D
Advisor

Re: ACL question

Hi Pieter, thanks again for responding to my question.

Yes you are correct, I had taken out my "ACL in" statements because they were causing problems. I am doing more testing and trying to understand them better before reapplying them.

To quote your previous statement:

"ip access-list extended "ACL226"
10 permit ip 192.7.226.0 0.0.0.255 192.7.226.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
50 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
(from/to vlan 4)"

Do I apply that ACL as an inbound or outbound ACL for that vlan? Would I use the statement "ip access-group ACL226 in" or "ip access-group ACL226 out"? Or is there a way to apply that ACL to that vlan in that the ACL itself would control inbound/outbound traffic (instead of me telling it in our out).

So to create the ACL for 224 vlan I would then create one as follows?:

ip access-list extended "ACL224"
10 permit ip 192.7.224.0 0.0.0.255 192.7.224.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
30 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
(from/to vlan 1)
40 permit ip 192.7.224.0 0.0.0.255 192.7.226.0 0.0.0.255
50 permit ip 192.7.226.0 0.0.0.255 192.7.224.0 0.0.0.255
(from/to vlan 6)

And then for 221 I would do the following?:

ip access-list extended "ACL221"
10 permit ip 192.7.221.0 0.0.0.255 192.7.221.0 0.0.0.255
(local traffic in this vlan)
20 permit ip 192.7.221.0 0.0.0.255 192.7.224.0 0.0.0.255
30 permit ip 192.7.224.0 0.0.0.255 192.7.221.0 0.0.0.255
(from/to vlan 4)
40 permit ip 192.7.221.0 0.0.0.255
192.7.225.0 0.0.0.255
50 permit ip 192.7.225.0 0.0.0.255
192.7.221.0 0.0.0.255
(from/to vlan 5)
60 permit ip 192.7.221.0 0.0.0.255 192.7.226.0 0.0.0.255
70 permit ip 192.7.226.0 0.0.0.255 192.7.221.0 0.0.0.255
(from/to vlan 6)

I originally stated that I wanted 225.8 to allow traffic to 224, 226, and 221 but block all other 255 traffic but for now I'm wanting to leave the entire 225 subnet open.

Thanks again,
Ryan
Pieter 't Hart
Honored Contributor
Solution

Re: ACL question

In or out is a design tradeoff.

If you think the router as a separate device and vlans as separate (managed) networks it may be easier to see the difference.
Where do you want to have control of access to the network?

If the network is collapsed into a single switch, with central control, other arguments may apply.

Theoretically "out" gives less overhead than "in". Using "in" gives a simpler configuration.

Using "out" data is filtered before it's passed to the other subnet.
Using in, data from one subnet/vlan to another subnet/vlan is first forwarded to the routing backplane, only then it's filtered out (in to vlan-x).

If you use "out" then for all vlans-a,-b,-c,-d you must add a rule to each separate acl of each vlan's to enable access to vlan-x.
Using "in" you only need the acl on vlan-x to configure.
Matt Hobbs
Honored Contributor

Re: ACL question

I believe that inbound ACL's are more efficient, and so does the ProCurve training. Sometimes it is simpler to just use outbound ACL's though.

Download the student guide from here and read the ACL chapter. Best thing I ever read when I was first trying to get my head around it.

http://procurve.com/network-training/training/technical/ase/irf.htm
Pieter 't Hart
Honored Contributor

Re: ACL question

Hey Matt,
That's an interesting link.
I'll surely dive into that in spare hours.

Regards,
Pieter
Ryan_D
Advisor

Re: ACL question

Thanks to both of you!
Pieter 't Hart
Honored Contributor

Re: ACL question

Ryan, thanks for assigning points.
Pieter