using ACL's to block VLAN's

Question

I've read through some of the DELL documentation and its kinda helped, but I just want a general overview to get me started on this.   I have two VLANS setup 1 & 2, and probably dont want them to communicate.  Not sure if they do by default or not.  On VLAN 2, I was thinking just to give them port 80 and 443 for example, but not be able to ping my 10.0.0.1 subnet or gain access to our machines.   For security reasons.  Basically if this new branch on our subnet gets infected with a virus or something, I want them segmented so they dont infect our default subnet  (10.0.0.1)   Can I get an ACL example of how this would be done. Message Edited by jbilliau on 03-09-2006 03:39 PM

DELL-Cuong N. · Answer

Hi again jbilliau :-).

You should qualify this by saying that you are working on the 6024 correct? By default VLAN do not communicate at layer 2 meaning that an L2 switch will not forward packets from one VLAN to another. However since you are using a 6024 (L3 router) and you setup routes, the 6024 will route between the VLANs so you are no longer blocked from communicating between two VLANs.

To make sure that host on one VLAN can access only specific system or specific ports on these systems on another VLAN you need to setup ACLs. As you mentioned there are a number of papers online that explain how ACL works on Dell support site.

What I would suggest is this - try setting up the ACL based on the example that are shown in those papers. Then post what you tried here and explain your difficulties and we'll be able to help you figure out the solution. This will help you understand why something work or not work and will help you in the long run since you have to maintain these switches after all :-).

Cuong.

DELL-Cuong N. · Answer

ACL are applied in order so if the first rule already fit then nothing else will be tried. There is an implicit deny at the end of the set of rules so if you define a set of "permit" rule and nothing else then if none of the permit rule succeed then the implicit deny will take affect.

Here is the section of documents on 6024 that talks about ACL CLI commands:

<ADMIN NOTE: Broken link has been removed from this post by Dell>

Cuong.

jbilliau · Answer

Yes the 6024. I've just never worked with ACL's much so I wanted help with priority really. Would I create all my permit statements first (i.e port 80, 443, etc) then put a deny at the end? Because I put a deny first, then made a permit acl for port 80, but web browsing never worked. Im guessing because that first ACL it never got passed.

Id also like to know if there's documentation on commands? For example Im trying to unbind an ACL from an interface, but can only do it through the web interface. If I try "no service-acl input vlan_2" it doesnt work. I always thought "no" in front of commands took them off

jbilliau · Answer

Well for example Im trying to run this command.   http://chugger.homeip.net/test/acl1.gif     Also, what I meant by that last statement is this:   My VLAN2 is on the subnet (10.0.1.0).  So, when Im creating ACL's specifiy that are going to be applied to that VLAN only, do I need to specify  permit-tcp 10.0.1.0 0.0.0.255 etc etc,  or should I just put permit-tcp any any etc etc,   I just figured if that ACL is applied to VLAN2 only, then u can almost just use 'ANY' and not need to put 10.0.1.0 everytime as the source.   I know its confusing..  :) Message Edited by jbilliau on 03-10-2006 11:23 AM

DELL-Cuong N. · Answer

The paper is actually describing ACL on the 33xx which has a slightly different syntax then the 6024 but the idea is the same.  You should refer to the paper for some idea on how ACL works but you need to look at the 6024 documentation for the command to use.   The 33xx permit commands look like this: permit-tcp { any | source source-wildcard}} { any | source-port} { any | destination destination-wildcard}} { any | destination-port} [dscp dscp number | ip-precedence ip-precedence] So you can see that the 'any' refer to any port.   Not sure I understand the last question but let me guess :-).  You are trying to allow traffic from any source on VLAN 2 to any destination access to port 21?  If so you could specify any for source and destination and port 21.  If you wanted any packet from any source but ONLY to destinate address B and only on port 21 then specify ANY for source and the appropriate IP/mask for destination and port 21 for example.   Anyway, just remember that you are applying the ACL only on ingress so think about what the packet looks like - its source and destination address and think about how to apply the appropriate rule that would result in denying or permitting the packets that you wanted.   Cuong.

jbilliau · Answer

Thankyou Cuong N.   One more question here, in one of the dell documentatoins on ACL's I see some that say for example:   permit-tcp 10.0.0.0 0.0.0.255 any 192.168.1.0 0.0.0.63 22   What does the ANY in there for / do?   I always thought ACLs were in the form of:   permit-tcp {source ip} {subnet mask} {destination ip} {subnet mask} {port number} permit-tcp 10.0.1.0 0.0.0.255 10.0.0.1 0.0.0.255 21   If Im applying an ACL to VLAN2 and only that VLAN, should I just use ANY instead of source (10.0.1.0) ?   Message Edited by jbilliau on 03-10-2006 10:26 AM

DELL-Cuong N. · Answer

Please look at the 6024 documentation which will give you the correct syntax. Also when using the CLI if you put "permit-tcp ?" you will get online help that tell you what parameters you are missing. Please review that information.

Here is the command from the 6024 documentation:

permit-tcp {any | source source-wildcard } {any | source-port} {any | destination destination-wildcard } {any | destination-port} [dscp dscp-number | ip-precedence ip-precedence]

Compare that to what you enter and see if you are missing something.

Also review the whitepaper which explain how ACL works. Please note the whitepaper uses 33xx syntax so you must still look at 6024 syntax to correct the commands you find in the paper but the flow is the same.

Cuong.

jbilliau · Answer

Ok I really dont get ACL's then. Ive been going over documentation for hours now trying about every combination with no success. All Im trying to do is give VLAN2 (10.0.1.0) access to port 80 (web browsing)

I even tried something simple like:

permit-tcp any any 10.0.0.0 0.0.0.255 80

with no success

10.0.0.1 is our gateway, so Im trying to only make the destination that address rather than ANY. Is my thinking off here Cuong?

DELL-Cuong N. · Answer

:-).  Ok think about what this ACL does (permit-tcp any any 10.0.0.0 0.0.0.255 80).   It said you want to allow ANY source address from ANY source port access to destination address only on 10.0.0.0/24 subnet and port 80.  Is that what you intended?  When you try to access the web server, is the web server (destination IP) running on 10.0.0.0/24 subnet?  Or did you intend for the system to get access to ANY web server out on the internet such as Yahoo.com for example.  'Yahoo.com' is not likely to be on 10.0.0.0/24 subnet.   So in this case what really do you want it to do?  You probably want the workstation on the VLAN 2 to have access TO ANY web servers running on the internet right?  But you also don't want it to have access to anything else beside the web server.   So maybe this rule might work - 'permit-tcp any any any 80'.  This said you want any source from any port to any destination but only if the destination port is 80.  And remember the implicit deny?  So if this rule doesn't match, then the deny rule kicks in and if the system tries to access any other destination port, it is denied.   So is this enough?  Maybe not - remember HTTPS doesn't use port 80 so you may need to open up HTTPS port too.  What about FTP, you might want to provide access to the FTP ports otherwise you won't be able to download from some sites.  There maybe other ports you would open up.  Also, is there a DNS server or a DHCP server on the 10.0.0.0/24 subnet that you need to provide access to for the workstations on VLAN 2?  If so you need to create rules to specifically give access ONLY to that server on the 10.0.0.0/24 subnet.  For example, if your server is 10.0.0.100 then maybe you need a rule like this 'permit-tcp any any 10.0.0.100 any' which gives access for all the hosts on VLAN 2 access to the server running at 10.0.0.100 IP address (you could give specific destination port to provide access only to certain services on the server if you like).  There are lots of other thing you can do with ACL.  Experiment and see what you can do.   Cuong.

jbilliau · Answer

I think I gave up back then on this, but now Im attempting again.   I used the permit-tcp any any any 80, and did the same with 53 and 443, setting each priority 1, 2 & 3.  Actually I used the web interface to make the rules.  Then applied the ACL to VLAN2.  Guess what?  Doesnt work.  All ports still remain open and everything works.   I thought that by permitting all these ports, they would be the only ones open, and then the implicit deny at the end would block everything else, like FTP.  However FTP still works when it shouldnt be.

Networking General

using ACL's to block VLAN's

Was this post helpful?