Network Management

 View Only
last person joined: yesterday 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

ACL for guest network VLAN and ACL's protocol number

This thread has been viewed 68 times
  • 1.  ACL for guest network VLAN and ACL's protocol number

    Posted Jun 26, 2022 08:22 PM

    Dear friends,

    Please help,

    I would like to add ACL for our guest network VLAN 150 to only be able to access: DNS (port: 67 or 68? ), DHCP (tcp 53?) (server range: 10.8.2.0/24) and Clearpass server (10.8.103.0/26) and also the internet. 

    My access list will look like this: 

    access-list ip VLAN_150_Out
    vsx-sync

        !

    10 permit udp any 10.8.2.0 0.0.0.255 eq 67 log count

    15 permit tcp any 10.8.2.0 0.0.0.255 eq 53 log count

    20 permit udp any 10.8.2.0 0.0.0.255 eq 53 log count

    30 permit any any 10.8.103.0 0.0.0.255 log count

    40 permit tcp any any eq 80 log count

    50 permit tcp any any eq 443 log count

    1001 deny any any any log count

    And then apply this list to VLAN 150 route out. 

    Does it look correct? 

    Thanks
    ML



    ------------------------------
    Becoming a Networking Engineer
    ------------------------------


  • 2.  RE: ACL for guest network VLAN and ACL's protocol number

    EMPLOYEE
    Posted Jun 26, 2022 08:54 PM
    Which product are you applying this ACL to?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: ACL for guest network VLAN and ACL's protocol number

    Posted Jun 26, 2022 08:57 PM

    Version ArubaOS-CX LL.10.06.0112

    Thanks,
    ML



    ------------------------------
    Becoming a Networking Engineer
    ------------------------------



  • 4.  RE: ACL for guest network VLAN and ACL's protocol number

    MVP GURU
    Posted Jun 27, 2022 06:44 AM

    Hi, if I were you I would apply that ACL "VLAN_150_Out" (and if I were you I will name it as "VLAN-150" too or something like that...just to have a reference about VLAN id 150 only) on the incoming direction (the point of view is: incoming into the SVI, as seen by VLAN 150) not on outgoing direction as you wrote.

    Note that the wildcard for the 10.8.103.0/26 network is 0.0.0.63 so the ACE:

    30 permit any any 10.8.103.0 0.0.0.255 log count

    would become:

    30 permit any any 10.8.103.0 0.0.0.63 log count

    but the point is that the ACL already has an implicit (hidden) Deny any/any at its very end so your ACE 1001 seems not so useful and, generally, the ACL structure would be made of: some ACEs of Permit -> some ACEs of Deny -> an explicit ACE of Permit Any/Any (which will only pass on what wasn't explicitly denied before thanks to any previous - matching first - Permit ACEs eventually present) and then, finally, the (implicit) Deny Any/Any ACE. So probably you should rework it a little bit to fit your needs.



  • 5.  RE: ACL for guest network VLAN and ACL's protocol number

    Posted Jun 27, 2022 07:40 PM
    Hi Parnassus, 

    Thanks a lot for picking out. You are correct about /26, the wildcard mask should be 0.0.0.63. Also, I took out ACE of "deny any any any" as you explained it will deny apart from "Allow" ACEs. 

    So I have updated ACL to: 

    access-list ip VLAN_ACL_150
    vsx-sync

        !

    10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count

    15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count

    20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count

    30 permit any 10.8.103.0 0.0.0.63 any log count

    40 permit tcp any any eq 80 log count

    50 permit tcp any any eq 443 log count


    Now my questions are: 

    1. would this ACL allow the DNS and DHCP service from our domains servers in 10.8.2.0 range? Is this even correct: "10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count"? or Can I use "10 permit dns 10.8.2.0 0.0.0.255 any log count"?

    2. VLAN 150 is the guest network range, don't want any devices from this scope to reach our production range (server vlan, building vlans, and 802.1x range) apart from getting IP, DNS services and Clearpass authentications. Should I apply ACL to VLAN as out? 

    Thanks
    ML




    ------------------------------
    Becoming a Networking Engineer
    ------------------------------



  • 6.  RE: ACL for guest network VLAN and ACL's protocol number

    MVP GURU
    Posted Jun 28, 2022 02:36 AM
    Hi ML,

    Let me suppose the Net/Mask of VLAN 150 can be represented as <VLAN-150-Net>/<VLAN-150-Mask> and all other internally connected VLANs you DON'T WANT the VLAN 150 communicates with can be represented as <internal-VLAN-Net-n>/<internal-VLAN-Mask-n>, then an ACL made with these ACEs:

    10 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 67 log count <---------- permit UDP/67 to 10.8.2.0 /24 subnet
    15 permit tcp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit TCP/53 to 10.8.2.0 /24 subnet
    20 permit udp <VLAN-150-Net> <VLAN-150-Mask> 10.8.2.0 0.0.0.255 eq 53 log count <---------- permit UDP/53 to 10.8.2.0 /24 subnet

    30 permit ip <VLAN-150-Net> <VLAN-150-Mask> 10.8.103.0 0.0.0.63 log count <---------------- permit IP to ClearPass Servers' subnet

    40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
    50 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-2> <internal-VLAN-Mask-2> <-- deny ANY Protocol to <internal-VLAN-Net-2> subnet
    60 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-3> <internal-VLAN-Mask-3> <-- deny ANY Protocol to <internal-VLAN-Net-3> subnet
    70 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-4> <internal-VLAN-Mask-4> <-- deny ANY Protocol to <internal-VLAN-Net-4> subnet
    .
    .
    90 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-n> <internal-VLAN-Mask-n> <-- deny ANY Protocol to <internal-VLAN-Net-n> subnet

    140 permit tcp any any eq 80 log count <--------------------------------------------------- permit TCP/80 any source/any destination (not previously explicitly denied)
    150 permit tcp any any eq 443 log count <-------------------------------------------------- permit TCP/443 any source/any destination (not previously explicitly denied)

    whit the final implicit (hidden) Deny any/any...should work.

    An ACL with those ACEs should work the way you wanted if applied in the in(coming) direction on the VLAN 150 (YMMV).


  • 7.  RE: ACL for guest network VLAN and ACL's protocol number

    Posted Jun 28, 2022 02:51 AM
    Hi Davide, 

    Thanks so much again. 

    This part: 

    40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet
    50 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-2> <internal-VLAN-Mask-2> <-- deny ANY Protocol to <internal-VLAN-Net-2> subnet
    60 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-3> <internal-VLAN-Mask-3> <-- deny ANY Protocol to <internal-VLAN-Net-3> subnet
    70 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-4> <internal-VLAN-Mask-4> <-- deny ANY Protocol to <internal-VLAN-Net-4> subnet

    Did you mean I should specify all VLANs of Production Network? I thought they will be denied if I do not specify them.

    Also, with 40 deny any <VLAN-150-Net> <VLAN-150-Mask> <internal-VLAN-Net-1> <internal-VLAN-Mask-1> <-- deny ANY Protocol to <internal-VLAN-Net-1> subnet

    Should I specify Vlan 150's network address (10.8.150.2/23) 10.8.150.0 0.0.1.255 for every ACE? or I can say Any to replace <VLAN-150-Net> <VLAN-150-Mask>?

    Thanks
    ML


    ------------------------------
    Becoming a Networking Engineer
    ------------------------------



  • 8.  RE: ACL for guest network VLAN and ACL's protocol number

    MVP GURU
    Posted Jun 28, 2022 07:31 AM
    Yes, in your last iteration:

    10 permit udp 10.8.2.0 0.0.0.255 any eq 67 log count
    15 permit tcp 10.8.2.0 0.0.0.255 any eq 53 log count
    20 permit udp 10.8.2.0 0.0.0.255 any eq 53 log count
    30 permit any 10.8.103.0 0.0.0.63 any log count
    40 permit tcp any any eq 80 log count
    50 permit tcp any any eq 443 log count

    since you haven't placed any strict Deny ACE after the first set of permits and there isn't the typical explicit Any/Any Permit ACE just at the very end...yes...what you don't explicitly permit with a proper ACE is denied by the implicit final hidden Any/Any Deny. So in your case your line of reasoning is correct (you permit this and that and everything else falls back to the implicit final deny).

    In my iteration the ACL is structured with a first set of specific permits, a second set of explicit denies ("I don't want the Guest VLAN going to the Trusted VLANs") and all other remaining traffic (generally the type of traffic with external networks as destinations) could flow to the (next hop) gateway using the Permit Any/Any at the very end of the entire ACL (this implies that there should be a Firewall that should apply its access policies to that type of traffic...but internal attempts to contact trusted VLANs is blocked via the specific Deny ACEs).

    About your second question:

    "Should I specify Vlan 150's network address (10.8.150.2/23) 10.8.150.0 0.0.1.255 for every ACE? or I can say Any to replace <VLAN-150-Net> <VLAN-150-Mask>?"

    probably it works also if you use the "any" instead of exactly specifying the subnet (10.8.150.0 0.0.1.255) of the sources which is the only expected (IP addresses) origin for which the ACL's ACEs (applied to VLAN 150) should have effect. I personally like to be specific.

    Question: did you expect some other different IP addresses - not on that subnet - popping up on that VLAN 150?

    My iteration would become:

    100 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 67 log count
    110 permit tcp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
    120 permit udp 10.8.150.0 0.0.1.255 10.8.2.0 0.0.0.255 eq 53 log count
    130 permit ip 10.8.150.0 0.0.1.255 10.8.103.0 0.0.0.63 log count
    140 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-1> <internal-VLAN-Wildcard-1>
    150 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-2> <internal-VLAN-Wildcard-2>
    160 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-3> <internal-VLAN-Wildcard-3>
    170 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-4> <internal-VLAN-Wildcard-4>
    180 deny any 10.8.150.0 0.0.1.255 <internal-VLAN-Net-n> <internal-VLAN-Wildcard-n>
    190 permit tcp 10.8.150.0 0.0.1.255 any eq 80 log count
    200 permit tcp 10.8.150.0 0.0.1.255 any eq 443 log count
    but I have a question: not permitting explicitly UDP/80 and UDP/443 traffic to Any destination - and here I'm implying that "Any" destination is basically any other non-local network - is OK with your requirements?


  • 9.  RE: ACL for guest network VLAN and ACL's protocol number

    Posted Jun 28, 2022 08:47 PM