I'm working on configuring ACL's on my 5412zl to increase security. This is probably basic stuff. I'm confused on the best way to configure the ACL.
Here's the idea:
- VLAN 60 = Security Camera VLAN
- VLAN 2 = Server VLAN
- VLAN 8 = Data VLAN
- Then there are other VLANs that never need access to security
Here's what I want:
- Anything in VLAN 60 should NOT be able to contact anything in the other vlans (e.g. a security camera cannot ping/access something in the server VLAN).
- Two servers in VLAN 2 need to access everything in VLAN 60
- One workstation in VLAN 8 needs to access one device on port 80 in VLAN 60.
- Nothing else needs access to VLAN 60
Here's my config:
ip access-list extended "Security-Out" 10 permit ip 10.1.2.10 0.0.0.0 10.1.60.0 0.0.3.255 15 permit ip 10.1.2.20 0.0.0.0 10.1.60.0 0.0.3.255 100 permit tcp 10.1.8.10 0.0.0.0 10.1.60.10 0.0.0.0 eq 80 200 deny ip 0.0.0.0 255.255.255.255 10.1.60.0 0.0.3.255 exit vlan 60 name "Security" untagged E19,F20 tagged B1,B3-B24,E16-E18,E21,E23,I12,I17 ip access-group "Security-Out" out ip address 10.1.60.1 255.255.252.0 exit vlan 8 name "Data" untagged E19,F20 tagged B1,B3-B24,E16-E18,E21,E23,I12,I17 ip address 10.1.8.1 255.255.252.0 exit vlan 2 name "Server" ip address 10.1.0.1 255.255.252.0 tagged e1 exit VLAN about 15 other VLANs that don't have access to VLAN 60
Okay, this works as intended. But I'm not sure if it's best practice. My biggest worry is that something in VLAN 60 could still potentially do a DoS or something, since I THINK traffic can go from 60 to X, but not back (that's why pings fail).
Guidance or suggestions are very much welcome.
Edit: Should comment that simply applying the "ip access-group 'Security-Out' out" in VLAN 60 is how I apply the ACL.
For my GUEST wireless network, I used the opposite process and did "ip access-group 'Guest' in", to stop the traffic in GUEST going to production VLANs.
No comments:
Post a Comment