Hi, speaking about ACL and using ArubaOS-CX means that:
so both notations should be accepted (CIDR subnet mask notation or Dotted Decimal notation).
Original Message:
Sent: Jul 08, 2022 01:33 AM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number
HI David,
I tried add ACE in this format:
100 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 67 log count
110 permit tcp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
120 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
130 permit ip 10.8.150.0 0.0.1.255 10.8.103.0 0.0.0.63 log count
Does not seem to be working, and I tried:
100 permit udp 10.8.150.0/23 10.8.2.0/24 eq 67 log count
110 permit tcp 10.8.150.0/23 10.8.2.0/24 eq 53 log count
120 permit udp 10.8.150.0/23 10.8.2.0/24 eq 53 log count
130 permit ip 10.8.150.0/23 10.8.103.0/26 log count
190 permit tcp 10.8.150.0/23 any eq 80 log count
200 permit tcp 10.8.150.0/23 any eq 443 log count
.
.
.
.
After I applied to ACL, the actual ACL has been changed to:
100 permit udp 10.8.150.0/255.255.254.0 10.8.2.0/255.255.255.0 eq 67 log count
So it does not matter what format I tried, right?
Thanks,
ML
------------------------------
Becoming a Networking Engineer
Original Message:
Sent: Jul 01, 2022 12:11 PM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number
Hi ML, NTP implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number 123.
Generally I apply ACL on the in(coming) direction as seen from VLAN Interface because I want to evaluate (filter) traffic egressing from that VLAN segment with all other possible destinations (local and non-local), in other words I want to filter communications at origin...this process should be done on both sides (for any given local - AKA directly connected VLAN - at origin BUT also at destination, if the destination is a local VLAN too), clearly it works too if you apply the ACL on one side only...but it's like to say "I deny/permit a VLAN to answer/communicate with another one VLAN...without considering that the very same same approach should be applied symmetrically on any other one VLAN involved with the communication process...like to say I deny/permit you to answer to a shout but I don't care to permit/deny the other to shout at you too".
Original Message:
Sent: Jun 29, 2022 07:21 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number
Hi Davide,
That is a good point to include NTP server, currently it is a physical box in 10.8.2.0 range (Server VLAN). But we set up NTP server on our core switch as well. What is the protocol number I should use?
Also, when applying ACL to the VLAN 150 in/out, my understanding is we are restricting traffic from VLAN 150 to go out to reach other vlans, it should be Out instead of In? Am I understanding this correctly?
I guess I will just have to try this ACL to tell.
Thanks a lot,
ML
------------------------------
Becoming a Networking Engineer
Original Message:
Sent: Jun 29, 2022 05:57 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number
Hi ML, I believe you are too much confident with a deny any any any any (too many any...joke).
As written, with your approach (lacking of the permit -> deny -> permit any/any -> (implicit) deny any/any structure), avoiding the Deny ACEs I wrote is probably totally reasonable...I can't say for sure since it's not a ACL structure I ever adopted (I like mine where all is explicitly declared, especially because - no matter the number of directly connected VLANs I manage (which is quite large) - I don't mind to write some additional ACEs <- consider that you can benefit of subnets grouping - and so limit the number of ACEs - IF your network addressing plan permits that).
But...what's about NTP synchronization? Public NTP (since I don't see a Permit ACE to an internal NTP Server/NTP Servers Pool? is that permitted?
Original Message:
Sent: Jun 28, 2022 08:46 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number
Hi Davide,
Yes, we have have a firewall that core switch's default route going to.
Will these ACEs allow DNS/DHCP services correctly? Anything more I should consider?
100 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 67 log count
110 permit tcp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
120 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
I think I will skip this part to specifically define other VLANs.:
140 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-1> <internal-VLAN-Wildcard-1>
150 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-2> <internal-VLAN-Wildcard-2>
160 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-3> <internal-VLAN-Wildcard-3>
170 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-4> <internal-VLAN-Wildcard-4>
180 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-n> <internal-VLAN-Wildcard-n>
As there are too many other VLANs we need to add, they should get denied by the default deny any any any any?
Thanks a lot,
ML
------------------------------
Becoming a Networking Engineer
Original Message:
Sent: Jun 28, 2022 07:30 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number
Yes, in your last iteration:
10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count
15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count
20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count
30 permit any 10.8.103.0 0.0.0.63 any log count
40 permit tcp any any eq 80 log count
50 permit tcp any any eq 443 log count
since you haven't placed any strict Deny ACE after the first set of permits and there isn't the typical explicit Any/Any Permit ACE just at the very end...yes...what you don't explicitly permit with a proper ACE is denied by the implicit final hidden Any/Any Deny. So in your case your line of reasoning is correct (you permit this and that and everything else falls back to the implicit final deny).
In my iteration the ACL is structured with a first set of specific permits, a second set of explicit denies ("I don't want the Guest VLAN going to the Trusted VLANs") and all other remaining traffic (generally the type of traffic with external networks as destinations) could flow to the (next hop) gateway using the Permit Any/Any at the very end of the entire ACL (this implies that there should be a Firewall that should apply its access policies to that type of traffic...but internal attempts to contact trusted VLANs is blocked via the specific Deny ACEs).
About your second question:
"Should I specify Vlan 150's network address (10.8.150.2/23) 10.8.150.0 0.0.1.255 for every ACE? or I can say Any to replace <VLAN-150-Net> <VLAN-150-Mask>?"
probably it works also if you use the "any" instead of exactly specifying the subnet (10.8.150.0 0.0.1.255) of the sources which is the only expected (IP addresses) origin for which the ACL's ACEs (applied to VLAN 150) should have effect. I personally like to be specific.
Question: did you expect some other different IP addresses - not on that subnet - popping up on that VLAN 150?
My iteration would become:
100 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 67 log count
110 permit tcp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
120 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
130 permit ip 10.8.150.0 0.0.1.255 10.8.103.0 0.0.0.63 log count
140 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-1> <internal-VLAN-Wildcard-1>
150 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-2> <internal-VLAN-Wildcard-2>
160 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-3> <internal-VLAN-Wildcard-3>
170 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-4> <internal-VLAN-Wildcard-4>
180 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-n> <internal-VLAN-Wildcard-n>
190 permit tcp 10.8.150.0 0.0.1.255 any eq 80 log count
200 permit tcp 10.8.150.0 0.0.1.255 any eq 443 log count
but I have a question: not permitting explicitly UDP/80 and UDP/443 traffic to Any destination - and here I'm implying that "Any" destination is basically any other non-local network - is OK with your requirements?
Original Message:
Sent: Jun 28, 2022 02:50 AM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number
Hi Davide,
Thanks so much again.
This part:
40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
50 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-2> <internal-VLAN-Mask-2> <-- deny ANY Protocol to <internal-VLAN-Net-2> subnet
60 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-3> <internal-VLAN-Mask-3> <-- deny ANY Protocol to <internal-VLAN-Net-3> subnet
70 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-4> <internal-VLAN-Mask-4> <-- deny ANY Protocol to <internal-VLAN-Net-4> subnet
Did you mean I should specify all VLANs of Production Network? I thought they will be denied if I do not specify them.
Also, with 40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
Should I specify Vlan 150's network address (10.8.150.2/23) 10.8.150.0 0.0.1.255 for every ACE? or I can say Any to replace <VLAN-150-Net> <VLAN-150-Mask>?
Thanks
ML
------------------------------
Becoming a Networking Engineer
Original Message:
Sent: Jun 28, 2022 02:36 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number
Hi ML,
Let me suppose the Net/Mask of VLAN 150 can be represented as <VLAN-150-Net>/<VLAN-150-Mask> and all other internally connected VLANs you DON'T WANT the VLAN 150 communicates with can be represented as <internal-VLAN-Net-n>/<internal-VLAN-Mask-n>, then an ACL made with these ACEs:
10 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 67 log count <---------- permit UDP/67 to 10.8.2.0 /24 subnet
15 permit tcp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit TCP/53 to 10.8.2.0 /24 subnet
20 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit UDP/53 to 10.8.2.0 /24 subnet
30 permit ip <VLAN-150-Net> <VLAN-150-Mask> 10.8.103.0 0.0.0.63 log count <---------------- permit IP to ClearPass Servers' subnet
40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
50 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-2> <internal-VLAN-Mask-2> <-- deny ANY Protocol to <internal-VLAN-Net-2> subnet
60 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-3> <internal-VLAN-Mask-3> <-- deny ANY Protocol to <internal-VLAN-Net-3> subnet
70 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-4> <internal-VLAN-Mask-4> <-- deny ANY Protocol to <internal-VLAN-Net-4> subnet
.
.
90 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-n> <internal-VLAN-Mask-n> <-- deny ANY Protocol to <internal-VLAN-Net-n> subnet
140 permit tcp any any eq 80 log count <--------------------------------------------------- permit TCP/80 any source/any destination (not previously explicitly denied)
150 permit tcp any any eq 443 log count <-------------------------------------------------- permit TCP/443 any source/any destination (not previously explicitly denied)
whit the final implicit (hidden) Deny any/any...should work.
An ACL with those ACEs should work the way you wanted if applied in the in(coming) direction on the VLAN 150 (YMMV).
Original Message:
Sent: Jun 27, 2022 07:40 PM
From: Mang Lai
Subject: ACL for guest network VLAN and ACL's protocol number
Hi Parnassus,
Thanks a lot for picking out. You are correct about /26, the wildcard mask should be 0.0.0.63. Also, I took out ACE of "deny any any any" as you explained it will deny apart from "Allow" ACEs.
So I have updated ACL to:
access-list ip VLAN_ACL_150
vsx-sync
!
10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count
15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count
20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count
30 permit any 10.8.103.0 0.0.0.63 any log count
40 permit tcp any any eq 80 log count
50 permit tcp any any eq 443 log count
Now my questions are:
1. would this ACL allow the DNS and DHCP service from our domains servers in 10.8.2.0 range? Is this even correct: "10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count"? or Can I use "10 permit dns 10.8.2.0 0.0.0.255 any log count"?
2. VLAN 150 is the guest network range, don't want any devices from this scope to reach our production range (server vlan, building vlans, and 802.1x range) apart from getting IP, DNS services and Clearpass authentications. Should I apply ACL to VLAN as out?
Thanks
ML
------------------------------
Becoming a Networking Engineer
Original Message:
Sent: Jun 27, 2022 06:43 AM
From: Davide Poletto
Subject: ACL for guest network VLAN and ACL's protocol number
Hi, if I were you I would apply that ACL "VLAN_150_Out" (and if I were you I will name it as "VLAN-150" too or something like that...just to have a reference about VLAN id 150 only) on the incoming direction (the point of view is: incoming into the SVI, as seen by VLAN 150) not on outgoing direction as you wrote.
Note that the wildcard for the 10.8.103.0/26 network is 0.0.0.63 so the ACE:
30 permit any any 10.8.103.0 0.0.0.255 log count
would become:
30 permit any any 10.8.103.0 0.0.0.63 log count
but the point is that the ACL already has an implicit (hidden) Deny any/any at its very end so your ACE 1001 seems not so useful and, generally, the ACL structure would be made of: some ACEs of Permit -> some ACEs of Deny -> an explicit ACE of Permit Any/Any (which will only pass on what wasn't explicitly denied before thanks to any previous - matching first - Permit ACEs eventually present) and then, finally, the (implicit) Deny Any/Any ACE. So probably you should rework it a little bit to fit your needs.