Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Armyof1

2 Posts

9727

September 30th, 2008 17:00

Applying ACL's

Ok, I am a little new to these Dell Powerconnects and switching is not my strong suite so stay with me.  I have vlan routing enabled and I need to push my Web servers out to my DMZ and in doing so I want to restric access from these boxes to my trusted side.  Vlan2 is my production server area and Vlan5 is the DMZ; Web servers need to access SQL db in the trusted area. I can simply enable vlan routing on vlan5 but if I do that I open up the flood gates, so I started reading about applying acl's.  seems simple enough I understand the concept; so here is acl #1

access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 1433 192.168.2.21 0.0.0.0
access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 53 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit udp 10.10.10.3 0.0.0.0 eq 53 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 135 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 3268 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 389 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit udp 10.10.10.3 0.0.0.0 eq 137 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit udp 10.10.10.3 0.0.0.0 eq 138 192.168.2.41 0.0.0.0
access-list DMZ2Trust-1 permit tcp 10.10.10.3 0.0.0.0 eq 139 192.168.2.41 0.0.0.0

 and

access-list DMZ2Trust-2 deny ip any any

 

My undserstanding is that the explicit will be applied last; should I not have applied this to vlan 5 and instead applied to vlan 2?  when I did I lost all connectivity?  A little more insght would be helpful

Thanks,

Matt

sentinel-master

345 Posts

September 30th, 2008 20:00

You have described two ACL's one to permit traffic and one to block all IP traffic........I think you have a typo in your post....and meant the explicit deny ip any any to be part of teh first ACL.

 

ACL's are processed in sequential order ,line by line.

 

Without you clarifying which subnet 10.10.x.x or 192.168.2.x belongs to which VLAN and how you exactly applied the ACL (In/Out), I can't comment further, on why you saw strange behaviour.

 

 

Armyof1

2 Posts

October 2nd, 2008 11:00

Vlan2 192.168.2.X ;vlan5 10.10.10.X machine in Vlan5 needs access to Vlan2 fr the ace's shown in the first thread... AS for the second ACL I created that because I can only get 10 ACE's per ACL, Your saying I should include that in the first ACL or if I have more than 10 rules to apply it in both...

sentinel-master

345 Posts

October 12th, 2008 21:00

The ACL has an implicit "deny all" rule anyway - so you don't need to specify it......i.e. if a packet fails to match your pass-definition and gets to bottom of your "permit", then it is dropped automatically.

 

And did you apply your access-list as an "egress" OUT -as the src=Vlan_5 and dest=VLAN_2.

 

interface  vlan  2

ip  access-group   DMZ2Trust-1   out

Was this post helpful?

View All

No Events found!

Top