Wired Intelligent Edge

Hi guys,

Ive been tasked to integrate a 2930F switch to a Fortigate  firewall and 2 other 1820-48G switches down stream (VLAN trunked) to it.

I've separated out the 2930F to do a trial / PoC on my own prior to deployment and have encountered some issues which i need help (or where I went wrong)

Basically there are 7 VLANs:

- VLAN1 (directly routed to the firewall via a static route for all the respective subnets)

- VLAN10 (IP-Phones)

- VLAN20 (CCTV)

- VLAN30 (Corp WLAN)

- VLAN32 (Guest WLAN)

- VLAN40 (Corp LAN)

- VLAN100 (Server LAN)

The goal was simple (or so i thought), to create an access list to - Not allow VLAN 10,20,32 to reach VLAN100.

I proceeded to create the following access list as per most of the documents have advised:

ip access-list extended "TEST"
10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 log
20 deny ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 log
30 deny ip 192.168.32.0 255.255.255.0 192.168.2.0 255.255.255.0 log
40 deny ip 192.168.33.0 255.255.255.0 192.168.2.0 255.255.255.0 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I've placed the access list in the following VLAN:

vlan 100
name "SVRS"
untagged 1
ip access-group "TEST" in
ip address 192.168.2.1 255.255.255.0
dhcp-server
exit

The odd issue here is, the "DENY" on the ACL, does not seem to be working.

With the above ACL in place, I am still able to reach the machine on .2 network with a test machine on .10. 

What am I missing out?

---

@Willem Bargemanwrote:
Configure the ACL at vlan 10,20,32 or at the acl to vlan 100 as a outbound acl instead of a inbound

---

This is the odd result I'm getting.

Just for testing, changed the access-list to (just to narrow down to 1 subnet):

ACL:

ip access-list extended "TEST"
     10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 log
     20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

VLAN10 interface:

vlan 10
   name "VLAN10"
   untagged 2
   ip access-group "TEST" out
   ip address 192.168.10.1 255.255.255.0
   voice
   dhcp-server

Since the ACL direction is outbound from VLAN10, for some odd reason, the ACL is not working:

CORE# sh statistics aclv4 TEST vlan 10 out

 Hit Counts for ACL TEST

  Total
(       0 )    10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
 log
(     254 )    20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I am still able to ping 192.168.2.51 (a test machine sitting in VLAN100). via a machine at VLAN10 - 192.168.10.11

The above statistics show it  is simply "passing through" the deny.

Routing table:

CORE#  sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.16.1.1      1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.1.0/24      DEFAULT_VLAN    1    connected            1          0
  192.168.2.0/24     SVRS            100  connected            1          0
  192.168.10.0/24    VLAN10          10   connected            1          0

Hi,

The subnet mask is a inverse mask. This is the reason why the ACL is not working. Please try to change the ACL to the following

ip access-list extended "TEST"
10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
20 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255 log
30 deny ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255 log
40 deny ip 192.168.33.0 0.0.0.255 192.168.2.0 0.0.0.255 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I would advise to at this ACL as a inbound ACL to each VLAN which you want to block traffic from.

---

@Willem Bargemanwrote:

Hi,

 

The subnet mask is a inverse mask. This is the reason why the ACL is not working. Please try to change the ACL to the following

 

ip access-list extended "TEST"
10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
20 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255 log
30 deny ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255 log
40 deny ip 192.168.33.0 0.0.0.255 192.168.2.0 0.0.0.255 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

I would advise to at this ACL as a inbound ACL to each VLAN which you want to block traffic from.

---

Hi Willem,

Thank you for your reply.

The oddity is back again unfortunately - i've readjusted it to be an inverse subnet mask.

ip access-list extended "TEST"
     10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
     20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Added TEST as an inbound rule on VLAN100

vlan 100
   name "SVRS"
   untagged 1
   ip access-group "TEST" in
   ip address 192.168.2.1 255.255.255.0
   dhcp-server

But still able to ping through without it hitting the DENY rule.

CORE# sh statistics aclv4 TEST vlan 100 in

 Hit Counts for ACL TEST

  Total
(       0 )    10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
(     262 )    20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 Just for kicks - I did a DENY host to my single host (source) 192.168.10.11 to (destination) 192.168.2.51

It still passed through the ACL.

Firewall routing and policies as below:

You are adding the ACL in the wrong direction. 

10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log

The above statement means that you block traffic from 192.168.10.x to 192.168.2.x. When you add this ACL to a VLAN with subnet 192.168.2.x as a inbound ACL this ACL will never match. A inbound ACL will be processed when traffic is incomming and a outbund when traffic leaves the switch / VLAN.

Please at this ACL to VLAN10 as a inbound ACL.

Thank you.

Your last solution worked!

I was interpreting the ACLs wrongly.

---

@dethangel  escribió:

Thank you.

 

Your last solution worked!

I was interpreting the ACLs wrongly.

---

Hello Dethangel.

Please, share the configuration that worked for you.

Thanks.

Regards.

hello everyone
I know topic have time but I need similar to this.
I have 3 VLANs in this VLANs (VLAN 3 and VLAN 100) I have this LCAs

 1 permit udp 192.168.100.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 67
     2 permit udp 192.168.100.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 68
     10 permit udp 192.168.100.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 53
     20 permit icmp 192.168.100.0 0.0.0.255 192.168.1.50 0.0.0.0 0
     29 permit ip 192.168.100.0 0.0.0.255 192.168.1.79 0.0.0.0 log
     30 permit ip 192.168.100.0 0.0.0.255 192.168.0.245 0.0.0.0
     31 permit udp 192.168.100.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 67
     32 permit udp 192.168.100.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 68
     33 permit udp 192.168.100.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 53
     34 permit icmp 192.168.100.0 0.0.0.255 192.168.1.71 0.0.0.0 0
     35 permit ip 192.168.100.0 0.0.0.255 192.168.1.71 0.0.0.0 log
     36 permit udp 192.168.100.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 67
     37 permit udp 192.168.100.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 68
     38 permit udp 192.168.100.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 53
     39 permit icmp 192.168.100.0 0.0.0.255 192.168.1.79 0.0.0.0 0
     40 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
     50 deny ip 192.168.100.0 0.0.0.255 192.168.237.0 0.0.0.255
     60 deny ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255
     70 deny ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
     80 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
 10 permit udp 192.168.3.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 67
     20 permit udp 192.168.3.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 68
     30 permit udp 192.168.3.0 0.0.0.255 192.168.1.50 0.0.0.0 eq 53
     39 permit ip 192.168.3.0 0.0.0.255 192.168.1.79 0.0.0.0 log
     40 permit icmp 192.168.3.0 0.0.0.255 192.168.1.50 0.0.0.0 0
     41 permit udp 192.168.3.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 67
     42 permit udp 192.168.3.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 68
     43 permit udp 192.168.3.0 0.0.0.255 192.168.1.71 0.0.0.0 eq 53
     44 permit icmp 192.168.3.0 0.0.0.255 192.168.1.71 0.0.0.0 0
     45 permit ip 192.168.3.0 0.0.0.255 192.168.1.71 0.0.0.0 log
     46 permit udp 192.168.3.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 67
     47 permit udp 192.168.3.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 68
     48 permit udp 192.168.3.0 0.0.0.255 192.168.1.79 0.0.0.0 eq 53
     49 permit icmp 192.168.3.0 0.0.0.255 192.168.1.79 0.0.0.0 0
     50 permit ip 192.168.100.0 0.0.0.255 192.168.0.245 0.0.0.0
     60 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
     70 deny ip 192.168.3.0 0.0.0.255 192.168.237.0 0.0.0.255
     80 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
     90 deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
     100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I require is that the two vlan have 100% communication with these vlan 1 servers (192.168.1.71 and 192.168.1.79)