Monday, November 20, 2017

How do I best restrict inbound traffic on individual VLANs?

For maximum segmentation and control, we have over 30 VLANs. What's the proper way to control inbound traffic from each subnet?

If a router or L3 switch is doing the VLAN/routing, you are limited to ACLs. When I try to restrict inbound traffic using ACLs, it blocks responding traffic from inbound connections. For instance, pretend this ACL is applied to fa0/0 inbound:

ip access-list extended WEBSERVER permit icmp host 10.20.110.80 any permit udp host 10.20.110.80 host 4.2.2.2 eq domain deny ip any 0.0.0.0 0.255.255.255 deny ip any 10.0.0.0 0.255.255.255 permit tcp host 10.20.110.80 any eq www permit tcp host 10.20.110.80 any eq 443 

If I try to connect to 10.20.110.80 on fa0/0 on port 80, the traffic from the host is sourced by some random port like 57644 and therefore is blocked by the inbound ACL since it doesn't match the rules.

I want that host to be able to create outbound connections for DNS, HTTP, HTTPS but I also want it to accept inbound connections since I need it to also host a website.

Am I applying ACLs incorrectly? Do I need to do this on an ASA?

Thanks for any help.



No comments:

Post a Comment