Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

ACL with "object-group" for GUEST VLAN

This thread has been viewed 11 times
  • 1.  ACL with "object-group" for GUEST VLAN

    Posted Jan 11, 2024 01:23 PM

    Hello,

    I try to deploy an ACL to restrict access to internal resources for visitors, contractors, staff personal devices etc. To streamline the ACL I intend to use "object groups".

    The first "object-group" includes the IP addresses for the domain controllers (they are running DHCP and DNS services):

    object-group ip address DomainControllers
    10 10.10.10.1
    15 10.20.20.2
    20 10.1.1.10

    The second "object-group" includes the RFC 1918 networks:

    object-group ip address PrivateNetworks
    10 10.0.0.0/8
    20 172.16.0.0/12
    30 192.168.0.0/16

    And here are the ACEs:

    access-list ip GUEST
    10 permit udp any DomainControllers eq dhcp-client
    15 permit udp any DomainControllers eq dhcp-server
    20 permit udp any DomainControllers eq dns
    30 permit icmp any DomainControllers
    
    50 deny any 172.16.80.0/255.255.254.0 PrivateNetworks
    
    90 permit any 172.16.80.0/255.255.254.0 any

    I will then apply this ACL to the "guest" VLAN interface:

    interface vlan 80
    apply access-list ip GUEST routed-in
    

    Will this work? Do I need an ACE to allow traffic to access the gateway (VLAN 80 SVI - 172.16.81.254? Or, maybe, I should apply the ACL to the VLAN 80?

    Thank you,

    Valentin



  • 2.  RE: ACL with "object-group" for GUEST VLAN

    EMPLOYEE
    Posted Jan 12, 2024 02:46 PM

    This config looks reasonable to permit traffic to the DomainControllers addresses on the L4 ports you listed.

    By applying to interface vlan 80 (as opposed to vlan 80) you'll apply the ACL to traffic that's going to be routed by the switch- clients may still be able to send traffic to each other, as that will simply be L2 VLAN traffic. If you wanted to limit east-west L2 traffic amongst guests, that might be a good use of an ACL in the VLAN 80 context.

    I don't think you need to explicitly permit traffic to the gateway, as your guest packets' destination IPs would be routed *through* the gateway (vlan 80 svi, 172.16.81.254) to the DomainControllers destination IPs as opposed to being destined for the switch. Are there any services for which the switch is a destination IP of traffic, not just a router hop to reach the destination IP? If so, that might be a case you'd want to consider an explicit "permit" ACE.




  • 3.  RE: ACL with "object-group" for GUEST VLAN

    Posted Jan 15, 2024 04:14 AM

    Thanks for your feedback @kworth.

    I am not bothered about the traffic inside VLAN 80 (there is actually a requirementto to allow intra-VLAN traffic), hence the ACL applied to "interface vlan 80".

    The switch is just a "router hop", to allow traffic to reach resources behind it, and not on it.

    As I only have remote access to the switch itself, and not to any end device on VLAN 80, I can't test the ACL at the moment; hopefully sometimes during the week.

    Regards,




  • 4.  RE: ACL with "object-group" for GUEST VLAN

    Posted Feb 05, 2024 06:07 AM

    The ACL worked without modifying it in any way.