Network Management

Dear friends,

Please help,

I would like to add ACL for our guest network VLAN 150 to only be able to access: DNS (port: 67 or 68? ), DHCP (tcp 53?) (server range: 10.8.2.0/24) and Clearpass server (10.8.103.0/26) and also the internet. 

My access list will look like this: 

access-list ip VLAN_150_Out
vsx-sync

    !

10 permit udp any 10.8.2.0 0.0.0.255 eq 67 log count

15 permit tcp any 10.8.2.0 0.0.0.255 eq 53 log count

20 permit udp any 10.8.2.0 0.0.0.255 eq 53 log count

30 permit any any 10.8.103.0 0.0.0.255 log count

40 permit tcp any any eq 80 log count

50 permit tcp any any eq 443 log count

1001 deny any any any log count

And then apply this list to VLAN 150 route out. 

Does it look correct? 

Thanks
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Which product are you applying this ACL to?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 26, 2022 08:22 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number

Dear friends,

Please help,

I would like to add ACL for our guest network VLAN 150 to only allow DNS (port: 67 or 68? ), DHCP (tcp 53?) (server range: 10.8.2.0/24) and Clearpass server (10.8.103.0/26) to reach its VLAN. 

My access list will look like this: 

access-list ip VLAN_150_IN
vsx-sync

    !

10 permit tcp 53 10.8.2.0 0.0.0.255 any log count

15 permit udp 53 10.8.2.0 0.0.0.255 any log count

20 permit udp 67 10.8.2.0 0.0.0.255 any log count

30 permit any 10.8.103.0 0.0.0.355 any log count

1001 deny any any any log count

Is this correct? 

Thanks
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Version ArubaOS-CX LL.10.06.0112

Thanks,
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Original Message:
Sent: Jun 26, 2022 08:53 PM
From: Colin Joseph
Subject: ACL for guest network VLAN and ACL's protocol number

Which product are you applying this ACL to?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 26, 2022 08:22 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number

Dear friends,

Please help,

I would like to add ACL for our guest network VLAN 150 to only allow DNS (port: 67 or 68? ), DHCP (tcp 53?) (server range: 10.8.2.0/24) and Clearpass server (10.8.103.0/26) to reach its VLAN. 

My access list will look like this: 

access-list ip VLAN_150_IN
vsx-sync

    !

10 permit tcp 53 10.8.2.0 0.0.0.255 any log count

15 permit udp 53 10.8.2.0 0.0.0.255 any log count

20 permit udp 67 10.8.2.0 0.0.0.255 any log count

30 permit any 10.8.103.0 0.0.0.355 any log count

1001 deny any any any log count

Is this correct? 

Thanks
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Hi, if I were you I would apply that ACL "VLAN_150_Out" (and if I were you I will name it as "VLAN-150" too or something like that...just to have a reference about VLAN id 150 only) on the incoming direction (the point of view is: incoming into the SVI, as seen by VLAN 150) not on outgoing direction as you wrote.

Note that the wildcard for the 10.8.103.0/26 network is 0.0.0.63 so the ACE:

30 permit any any 10.8.103.0 0.0.0.255 log count

would become:

30 permit any any 10.8.103.0 0.0.0.63 log count

but the point is that the ACL already has an implicit (hidden) Deny any/any at its very end so your ACE 1001 seems not so useful and, generally, the ACL structure would be made of: some ACEs of Permit -> some ACEs of Deny -> an explicit ACE of Permit Any/Any (which will only pass on what wasn't explicitly denied before thanks to any previous - matching first - Permit ACEs eventually present) and then, finally, the (implicit) Deny Any/Any ACE. So probably you should rework it a little bit to fit your needs.

Hi Parnassus, 

Thanks a lot for picking out. You are correct about /26, the wildcard mask should be 0.0.0.63. Also, I took out ACE of "deny any any any" as you explained it will deny apart from "Allow" ACEs. 

So I have updated ACL to: 

access-list ip VLAN_ACL_150
vsx-sync

    !

10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count

15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count

20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count

30 permit any 10.8.103.0 0.0.0.63 any log count

40 permit tcp any any eq 80 log count

50 permit tcp any any eq 443 log count

Now my questions are: 

1. would this ACL allow the DNS and DHCP service from our domains servers in 10.8.2.0 range? Is this even correct: "10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count"? or Can I use "10 permit dns 10.8.2.0 0.0.0.255 any log count"?

2. VLAN 150 is the guest network range, don't want any devices from this scope to reach our production range (server vlan, building vlans, and 802.1x range) apart from getting IP, DNS services and Clearpass authentications. Should I apply ACL to VLAN as out? 

Thanks
ML

------------------------------
Becoming a Networking Engineer
------------------------------

Original Message:
Sent: Jun 27, 2022 06:43 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number

Hi, if I were you I would apply that ACL "VLAN_150_Out" (and if I were you I will name it as "VLAN-150" too or something like that...just to have a reference about VLAN id 150 only) on the incoming direction (the point of view is: incoming into the SVI, as seen by VLAN 150) not on outgoing direction as you wrote.

Note that the wildcard for the 10.8.103.0/26 network is 0.0.0.63 so the ACE:

30 permit any any 10.8.103.0 0.0.0.255 log count

would become:

30 permit any any 10.8.103.0 0.0.0.63 log count

but the point is that the ACL already has an implicit (hidden) Deny any/any at its very end so your ACE 1001 seems not so useful and, generally, the ACL structure would be made of: some ACEs of Permit -> some ACEs of Deny -> an explicit ACE of Permit Any/Any (which will only pass on what wasn't explicitly denied before thanks to any previous - matching first - Permit ACEs eventually present) and then, finally, the (implicit) Deny Any/Any ACE. So probably you should rework it a little bit to fit your needs.

Hi ML,

Let me suppose the Net/Mask of VLAN 150 can be represented as <VLAN-150-Net>/<VLAN-150-Mask> and all other internally connected VLANs you DON'T WANT the VLAN 150 communicates with can be represented as <internal-VLAN-Net-n>/<internal-VLAN-Mask-n>, then an ACL made with these ACEs:

10 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 67 log count <---------- permit UDP/67 to 10.8.2.0 /24 subnet
15 permit tcp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit TCP/53 to 10.8.2.0 /24 subnet
20 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit UDP/53 to 10.8.2.0 /24 subnet

30 permit ip <VLAN-150-Net> <VLAN-150-Mask> 10.8.103.0 0.0.0.63 log count <---------------- permit IP to ClearPass Servers' subnet

40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
50 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-2> <internal-VLAN-Mask-2> <-- deny ANY Protocol to <internal-VLAN-Net-2> subnet
60 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-3> <internal-VLAN-Mask-3> <-- deny ANY Protocol to <internal-VLAN-Net-3> subnet
70 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-4> <internal-VLAN-Mask-4> <-- deny ANY Protocol to <internal-VLAN-Net-4> subnet
.
.
90 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-n> <internal-VLAN-Mask-n> <-- deny ANY Protocol to <internal-VLAN-Net-n> subnet

140 permit tcp any any eq 80 log count <--------------------------------------------------- permit TCP/80 any source/any destination (not previously explicitly denied)
150 permit tcp any any eq 443 log count <-------------------------------------------------- permit TCP/443 any source/any destination (not previously explicitly denied)

whit the final implicit (hidden) Deny any/any...should work.

An ACL with those ACEs should work the way you wanted if applied in the in(coming) direction on the VLAN 150 (YMMV).
Original Message:
Sent: Jun 27, 2022 07:40 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number

Hi Parnassus, 

Thanks a lot for picking out. You are correct about /26, the wildcard mask should be 0.0.0.63. Also, I took out ACE of "deny any any any" as you explained it will deny apart from "Allow" ACEs. 

So I have updated ACL to: 

access-list ip VLAN_ACL_150
vsx-sync

    !

10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count

15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count

20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count

30 permit any 10.8.103.0 0.0.0.63 any log count

40 permit tcp any any eq 80 log count

50 permit tcp any any eq 443 log count

Now my questions are: 

1. would this ACL allow the DNS and DHCP service from our domains servers in 10.8.2.0 range? Is this even correct: "10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count"? or Can I use "10 permit dns 10.8.2.0 0.0.0.255 any log count"?

2. VLAN 150 is the guest network range, don't want any devices from this scope to reach our production range (server vlan, building vlans, and 802.1x range) apart from getting IP, DNS services and Clearpass authentications. Should I apply ACL to VLAN as out? 

Thanks
ML

------------------------------
Becoming a Networking Engineer

Original Message:
Sent: Jun 27, 2022 06:43 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number

Hi, if I were you I would apply that ACL "VLAN_150_Out" (and if I were you I will name it as "VLAN-150" too or something like that...just to have a reference about VLAN id 150 only) on the incoming direction (the point of view is: incoming into the SVI, as seen by VLAN 150) not on outgoing direction as you wrote.

Note that the wildcard for the 10.8.103.0/26 network is 0.0.0.63 so the ACE:

30 permit any any 10.8.103.0 0.0.0.255 log count

would become:

30 permit any any 10.8.103.0 0.0.0.63 log count

but the point is that the ACL already has an implicit (hidden) Deny any/any at its very end so your ACE 1001 seems not so useful and, generally, the ACL structure would be made of: some ACEs of Permit -> some ACEs of Deny -> an explicit ACE of Permit Any/Any (which will only pass on what wasn't explicitly denied before thanks to any previous - matching first - Permit ACEs eventually present) and then, finally, the (implicit) Deny Any/Any ACE. So probably you should rework it a little bit to fit your needs.