Unsolved
This post is more than 5 years old
2 Posts
0
6207
February 26th, 2004 14:00
VLANs / Routing / ACLs / IP Addressing
Hello,
I have a PowerConnect 3348 that I am need to configure with multiple vlans to seperate out the domain controllers, web server and SQL servers.
Here is what I need:
All servers need to access the Domain Controllers for Authentication and DNS queries. The web servers need to have port 80 and 443 accessible to all workstations. The SQL servers only need to be accessible from the web servers on port 1433. The web server computers will have dual network cards on both VLAN 3 and VLAN 4.
VLAN 2 - Domain Controllers
ip address 192.168.1.1
service-acl input vlan2
exit
VLAN 3 - Web Servers
ip address 192.168.2.1
service-acl input vlan3
exit
VLAN 4 - SQL Servers and internal adapter of web servers
ip address 192.168.3.1
service-acl input vlan4
exit
ip access-list vlan2
permit any any any
exit
ip access-list vlan3
permit-tcp any any 192.168.2.0 0.0.0.255 80
permit-tcp any any 192.168.2.0 0.0.0.255 443
exit
ip access-list vlan4
permit-tcp 192.168.2.0 0.0.0.255 any 192.168.3.0 0.0.0.255 1433
exit
After entering the above and assigning the appropriate port to the correct vlan I still cannot access anything across the vlans. There is a single workstation on VLAN 1 for configuring the device and the ip address of the device is 192.168.0.2, with a default-gateway of 192.168.0.1 which will be my external router.
Also, what ports do I need to open up to allow authentication to the domain controllers from the web servers and/or SQL servers?
Any help would be appreciated.
Thanks,
Brandon
DELL-Randy
132 Posts
0
March 1st, 2004 12:00
Initially, placement of the ACL will be critical on achieving the expected results. Keep in mind that the ACL is applied to traffic physically entering the switch's interface. Since the ACL will only be applied to incoming traffic, determining where the ACL should be placed will aid you in configuring the traffic flows that are to be permitted or denied.
Also, keep in mind that at the end of every ACL is an implicit deny. Therefore, if traffic is not specifically permitted, the switch will automatically drop the traffic if it does not meet the ACL credentials.
In your access-list - vlan3 - you specifically permit TCP traffic from any source port -> from any host -> to the network 192.168.2.0 -> destined for port 80 and 443. In such an instance, traffic such as ping (ICMP), telnet, and other variants of IP traffic will not be forwarded due to the implicit deny at the end of the ACL and there not being a permit statement configured allowing the traffic to pass.
Access-list - vlan2 - seems irrelevant as the statement allows any traffic to be forwarded. Simply creating a VLAN and only configuring the required ports in the VLAN would produce the same results.
Information you may find useful on configuring your ACLs are Dell's White Papers, one that outlines Access-Lists. You may view the information here -
http://www1.us.dell.com/content/topics/global.aspx/solutions/en/pwcnt_papers?
The article titled "Deploying ACLs to Manage Network Security" outlines configuration and placement of the access-lists. Hope this information helps.