Wired Intelligent Edge

Hello,

I try to deploy an ACL to restrict access to internal resources for visitors, contractors, staff personal devices etc. To streamline the ACL I intend to use "object groups".

The first "object-group" includes the IP addresses for the domain controllers (they are running DHCP and DNS services):

object-group ip address DomainControllers10 10.10.10.115 10.20.20.220 10.1.1.10

The second "object-group" includes the RFC 1918 networks:

object-group ip address PrivateNetworks10 10.0.0.0/820 172.16.0.0/1230 192.168.0.0/16

And here are the ACEs:

access-list ip GUEST10 permit udp any DomainControllers eq dhcp-client15 permit udp any DomainControllers eq dhcp-server20 permit udp any DomainControllers eq dns30 permit icmp any DomainControllers50 deny any 172.16.80.0/255.255.254.0 PrivateNetworks90 permit any 172.16.80.0/255.255.254.0 any

I will then apply this ACL to the "guest" VLAN interface:

interface vlan 80apply access-list ip GUEST routed-in

Will this work? Do I need an ACE to allow traffic to access the gateway (VLAN 80 SVI - 172.16.81.254? Or, maybe, I should apply the ACL to the VLAN 80?

Thank you,

Valentin

This config looks reasonable to permit traffic to the DomainControllers addresses on the L4 ports you listed.

By applying to interface vlan 80 (as opposed to vlan 80) you'll apply the ACL to traffic that's going to be routed by the switch- clients may still be able to send traffic to each other, as that will simply be L2 VLAN traffic. If you wanted to limit east-west L2 traffic amongst guests, that might be a good use of an ACL in the VLAN 80 context.

I don't think you need to explicitly permit traffic to the gateway, as your guest packets' destination IPs would be routed *through* the gateway (vlan 80 svi, 172.16.81.254) to the DomainControllers destination IPs as opposed to being destined for the switch. Are there any services for which the switch is a destination IP of traffic, not just a router hop to reach the destination IP? If so, that might be a case you'd want to consider an explicit "permit" ACE.

Original Message:
Sent: Jan 11, 2024 04:18 AM
From: felippe_ro
Subject: ACL with "object-group" for GUEST VLAN

Hello,

I try to deploy an ACL to restrict access to internal resources for visitors, contractors, staff personal devices etc. To streamline the ACL I intend to use "object groups".

The first "object-group" includes the IP addresses for the domain controllers (they are running DHCP and DNS services):

object-group ip address DomainControllers10 10.10.10.115 10.20.20.220 10.1.1.10

The second "object-group" includes the RFC 1918 networks:

object-group ip address PrivateNetworks10 10.0.0.0/820 172.16.0.0/1230 192.168.0.0/16

And here are the ACEs:

access-list ip GUEST10 permit udp any DomainControllers eq dhcp-client15 permit udp any DomainControllers eq dhcp-server20 permit udp any DomainControllers eq dns30 permit icmp any DomainControllers50 deny any 172.16.80.0/255.255.254.0 PrivateNetworks90 permit any 172.16.80.0/255.255.254.0 any

I will then apply this ACL to the "guest" VLAN interface:

interface vlan 80apply access-list ip GUEST routed-in

Will this work? Do I need an ACE to allow traffic to access the gateway (VLAN 80 SVI - 172.16.81.254? Or, maybe, I should apply the ACL to the VLAN 80?

Thank you,

Valentin

Thanks for your feedback @kworth.

I am not bothered about the traffic inside VLAN 80 (there is actually a requirementto to allow intra-VLAN traffic), hence the ACL applied to "interface vlan 80".

The switch is just a "router hop", to allow traffic to reach resources behind it, and not on it.

As I only have remote access to the switch itself, and not to any end device on VLAN 80, I can't test the ACL at the moment; hopefully sometimes during the week.

Regards,

This config looks reasonable to permit traffic to the DomainControllers addresses on the L4 ports you listed.

By applying to interface vlan 80 (as opposed to vlan 80) you'll apply the ACL to traffic that's going to be routed by the switch- clients may still be able to send traffic to each other, as that will simply be L2 VLAN traffic. If you wanted to limit east-west L2 traffic amongst guests, that might be a good use of an ACL in the VLAN 80 context.

I don't think you need to explicitly permit traffic to the gateway, as your guest packets' destination IPs would be routed *through* the gateway (vlan 80 svi, 172.16.81.254) to the DomainControllers destination IPs as opposed to being destined for the switch. Are there any services for which the switch is a destination IP of traffic, not just a router hop to reach the destination IP? If so, that might be a case you'd want to consider an explicit "permit" ACE.

Original Message:
Sent: Jan 11, 2024 04:18 AM
From: felippe_ro
Subject: ACL with "object-group" for GUEST VLAN

Hello,

I try to deploy an ACL to restrict access to internal resources for visitors, contractors, staff personal devices etc. To streamline the ACL I intend to use "object groups".

The first "object-group" includes the IP addresses for the domain controllers (they are running DHCP and DNS services):

object-group ip address DomainControllers10 10.10.10.115 10.20.20.220 10.1.1.10

The second "object-group" includes the RFC 1918 networks:

object-group ip address PrivateNetworks10 10.0.0.0/820 172.16.0.0/1230 192.168.0.0/16

And here are the ACEs:

access-list ip GUEST10 permit udp any DomainControllers eq dhcp-client15 permit udp any DomainControllers eq dhcp-server20 permit udp any DomainControllers eq dns30 permit icmp any DomainControllers50 deny any 172.16.80.0/255.255.254.0 PrivateNetworks90 permit any 172.16.80.0/255.255.254.0 any

I will then apply this ACL to the "guest" VLAN interface:

interface vlan 80apply access-list ip GUEST routed-in

Will this work? Do I need an ACE to allow traffic to access the gateway (VLAN 80 SVI - 172.16.81.254? Or, maybe, I should apply the ACL to the VLAN 80?

Thank you,

Valentin