I have set up ACLs to deny most traffic between VLANs on a 3750x switch (which is also acting as the inter-vlan router), however it does not seem to work at all. More specifically, I have the Servers VLAN 10 and Clients VLAN 15.
Despite the below configuration, Clients in VLAN 15 have full access to both servers in VLAN 10 (i.e. I can access the Web GUI on Server1 - 10.1.10.10 and can RDP into Server 2 - 10.1.10.11, while the ACLs do not allow that). Additionally, they can also access the Web GUI of the internet router that is on 10.1.20.1, while I believe the ACL below should not allow that.
Ideally I would only want the Clients to have access to:
a) DNS Server running on internet router (10.1.20.1)
b) Access to DHCP server running on internet router (10.1.20.1) so as to receive addresses
c) The TCP 10050 & 10051 ports on Server 10.1.10.12
And then no further access to the internal network, while being allowed to access the internet.
The configuration is as follows:
VLAN 10 (Servers): 10.1.15.0/24
VLAN 15 (Clients): 10.1.15.0/24
VLAN 20 (Internet Gateway): 10.1.20.0/24
interface Vlan10
ip address 10.1.10.1 255.255.255.0
ip access-group 110 in
ip helper-address 10.1.20.1
!
interface Vlan15
ip address 10.1.15.1 255.255.255.0
ip access-group 115 in
ip helper-address 10.1.20.1
!
interface Vlan20
ip address 10.1.20.2 255.255.255.0
!
access-list 110 permit udp 10.1.10.0 0.0.0.255 host 10.1.20.1 eq domain
access-list 110 permit udp any eq bootpc any eq bootps
access-list 110 permit udp host 10.1.10.11 host 10.1.20.1 eq 2056
access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1645
access-list 110 permit udp host 10.1.10.11 host 10.1.10.1 eq 1646
access-list 110 permit udp host 10.1.10.12 host 10.1.10.1 eq snmp
access-list 110 permit udp host 10.1.10.12 host 10.1.20.1 eq snmp
access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10050
access-list 110 permit tcp host 10.1.10.12 host 10.1.15.20 eq 10051
access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.10
access-list 110 permit ip 10.1.10.0 0.0.0.255 host 10.1.11.20
access-list 110 deny ip 10.1.10.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.1.10.0 0.0.0.255 any
access-list 110 deny ip any any
!
access-list 115 permit udp 10.1.15.0 0.0.0.255 host 10.1.20.1 eq domain
access-list 115 permit udp any eq bootpc any eq bootps
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10050
access-list 115 permit tcp host 10.1.15.20 host 10.1.10.12 eq 10051
access-list 115 deny ip 10.1.15.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 115 permit ip 10.1.15.0 0.0.0.255 any
access-list 115 deny ip any any
Is my configuration wrong? Is the latest IOS version for this switch buggy? I could post the entire configuration of the switch if need be, since this is a lab environment.
Thanks!
No comments:
Post a Comment