Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL's on ProCurve5304 Switch

SOLVED
Go to solution
Pamela Deline
Occasional Visitor

ACL's on ProCurve5304 Switch

I am just starting to apply VLANS to our network. At present, I have the default VLAN 1
and have added a guest VLAN 116.

I want guests to be able to access internet services (which may involve more than just port 80) but I don't want the guests to access anything else on my networks.

I have tried the following:

The following works but is limited to port 80 only, and we want guests to be able to use any ports we allow through our firewall for example 23, 510,1352 and let the firewall block any disallowed ports.

ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit tcp 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 eq http (this permits any into 10.1.116.0 network)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to cache)
permit tcp 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 eq http (this allows 10.1.116.0 network pc to get to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (this denys 10.1.116.0 network to all other devices)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

VLAN 116 ip access-group 100 in

So I changed tcp to ip: but now I can connect to any device and network that I did not permit for the 10.1.116.0 network.


ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0 (this allows 10.1.116.0 network pc to get ip address from dhcp server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0 (this allows 10.1.116.0 network pc to get to dns server)
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address to vlan 116's 10.1.116.0 network)***
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 255.255.255.255 (this allows 10.1.116.0 network access to cache)
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 255.255.255.255 (this allows 10.1.116.0 network access to firewall)
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255 (thiis denys 10.116.1.116.0 to everything else)
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

VLAN 116 ip access-group 100 in


***permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255 (this allows any source address IN to vlan 116's 10.1.116.0 network) I THINK THIS LINE IS ALLOWING ACCESS TO ALL OTHER DEVICES BUT I DO NOT UNDERSTAND WHY

IF I TELNET TO 10.102.2.100 FROM THE 10.1.116.0 NETWORK IT IS SUCCESSFUL EVEN THOUGH I DON'T HAVE:

PERMIT IP 10.1.116.0 0.0.0.255 10.102.2.100 0.0.0.0 IN MY ACL ????????why can I telnet to this device?????????
3 REPLIES
Mohieddin Kharnoub
Honored Contributor
Solution

Re: ACL's on ProCurve5304 Switch

Hi

If you want to allow internet traffic from one Vlan, then you have to look for your Default Route.

I assume you have a default route to the firewall: 10.101.2.103, and i assume you are are using a proxy to redirect all internet traffic to pass by a Cache box: 10.101.2.107.

In this case, your 2 entries for firewall and cache are incorrect:
-------------------------------------------
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0 (this allows 10.1.116.0 network access to cache - change 255.255.255.255)

permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0 (this allows 10.1.116.0 network access to firewall - change 255.255.255.255)
-------------------------------------------

So your ACL should be like this after rearranging some entries also:

ip access-list extended "100"
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 0.0.0.0 255.255.255.255 10.1.116.0 0.0.0.255
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
----------------------------------------
Also you should be sure to have a route back from the firewall network 10.101.1.0/24 to Vlan116 network 10.1.116.0/24.

Good Luck !!!


Science for Everyone
Pamela Deline
Occasional Visitor

Re: ACL's on ProCurve5304 Switch

Tried the following and still could not access the internet. But reason is listed below.

ip access-list extended 105
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

We set each pc's default gateway to be the router, and Internet Explorer uses this to get to firewall. However, if I change Internet Explorer Internet Options to use a Proxy server (10.101.2.107) then the above works.

thanks again
Pamela Deline
Occasional Visitor

Re: ACL's on ProCurve5304 Switch

Since all our computers do not have Proxy server setup in their Internet Explorer and we don't want to change that: I have rewritten the ACL to deny the 10.1.116.0 network to all other 10.0.0.0 networks and permit all other networks. This is exactly what I wanted and it works.

ip access-list extended 106
permit ip 10.1.116.0 0.0.0.255 10.101.1.134 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.116 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.1.114 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.103 0.0.0.0
permit ip 10.1.116.0 0.0.0.255 10.101.2.107 0.0.0.0
deny ip 10.1.116.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255