Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Create VLAN with ACL to restrict ssh only traffic

voltz
Occasional Visitor

Create VLAN with ACL to restrict ssh only traffic

All,
New to advanced switching features. Hoping you can help me out.

I have a default switch up and running with a bunch of client workstations. (IP: 10.1.1.2 with /24 Mask) Connected to a router with multiple vpn connections to other offices (Router ip 10.1.1.1). We have a public server that we would like to connect to which we will do by running a fiber connection to a remote HP Layer2 switch. (Server ip 10.10.10.20) We would like to keep the traffic separated for security, allowing only port 22/80 for SSH/HTTP traffic from the clients to the server, and not allowing the server to contact any of the devices on the 10.1.1.0/24 network.

The Fiber connection is on port 24.

I've created a VLAN (400 - same as the remote HP switch) with untagged port 24.

I assume I have to turn on ip routing, and also set up the default route to the router, and route the associated traffic to the public server.

Can someone lay out what I need and associated config entries?

Thanks!


7 REPLIES
Michael_Breuer
Esteemed Contributor

Re: Create VLAN with ACL to restrict ssh only traffic

Hello,

what switch model do you have?

Cheers,

Michael
Ingentive Networks GmbH
voltz
Occasional Visitor

Re: Create VLAN with ACL to restrict ssh only traffic

procurve 2910al
Michael_Breuer
Esteemed Contributor

Re: Create VLAN with ACL to restrict ssh only traffic

Hello,

the config should be something like this:

vlan 1
name "01_CLIENT"
ip address 10.1.1.254/24
ip access-group ACL_01 in
untagged 1-22 // Client ports

vlan 400
name "400_SERVER"
ip address 10.10.10.254/24
untagged 24

vlan 99
name "99_TRANSFER_TO_VPN_ROUTER" // dedicated transfer network to router is recommended
ip address 10.10.99.254/24 // you have to assign a new IP address on the router i.e. 10.10.99.1
untagged 23 // port with Router

ip access-list extended ACL_01 in
permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.20 eq 22 // Allow SSH to the server
permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.20 eq 80 // Aloow HTTP to the server
deny ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 log // deny everything else to 10.10.10.0/24
permit ip any any // allow everthing else

You can also set a second ACL on VLAN 400 to protect the opposite direcion to VLAN 1

Have a look in the ACL chapter for details: http://cdn.procurve.com/training/Manuals/2910-ASG-Feb09-9-ACLs.pdf

Cheers,

Michael
Ingentive Networks GmbH
voltz
Occasional Visitor

Re: Create VLAN with ACL to restrict ssh only traffic

Hi Michael,

Thanks for the follow up.

As far as routing, I will need to enable it on the switch correct? Then also add a static route on our router to point at the ip address of the switch.

I would then have to set the default gateway for all vlans to the router ip correct?

Thanks!
Michael_Breuer
Esteemed Contributor

Re: Create VLAN with ACL to restrict ssh only traffic

Hello,

sure: "ip routing" needs to be enabled.

And you have to set static routes for network 10.1.1/24 and 10.10.10/24 pointing to the procurve: 10.10.99.254 (in my example).

All hosts need to get the local gateway IP address of the switch:
clients in VLAN 1: 10.1.1.254
server in VLAN 400: 10.10.10.254
static default route on the procurve:
ip route 0.0.0.0 0.0.0.0 10.10.99.1

Cheers,

Michael
Ingentive Networks GmbH
voltz
Occasional Visitor

Re: Create VLAN with ACL to restrict ssh only traffic

Hi Michael,

Again thanks for the follow up! We're mostly concerned about users on the server connecting into our client network so I have added the other ACL for VLAN 400 (in). Since we also have a few web servers on the 10.1.1.0/24 network, I do not want to allow all port 80 traffic from the server.

I believe I can do this by making the ACL "established" ?

ip access-list extended CLUSTERIN_ACL in
permit tcp 10.10.10.20 0.0.0.0 10.1.1.0 0.0.0.255 eq 22 established
permit tcp 10.10.10.20 0.0.0.0 10.1.1.0 0.0.0.255 eq 80 established
deny ip 10.10.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any

So any originating connection from the client side will allow the traffic that's only established. Do I understand this right?
Michael_Breuer
Esteemed Contributor

Re: Create VLAN with ACL to restrict ssh only traffic

Note that the SSH and HTTP return traffic has TCP SOURCE port 22 and 80. Thus I assume the ACL shoul look like this:

ip access-list extended CLUSTERIN_ACL in
permit tcp 10.10.10.20 0.0.0.0 eq 22 10.1.1.0 0.0.0.255 established
permit tcp 10.10.10.20 0.0.0.0 eq 80 10.1.1.0 0.0.0.255 established
deny ip 10.10.10.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any

Cheers,

Michael
Ingentive Networks GmbH