Options
Why the hell does not my ACLs work?
Morty3
Member Posts: 139
in CCNA & CCENT
Workin it with L-3 switching here. Placed some ACL's on the SVI's. They do nothing, though. 
A cleaned up Config:
Building configuration...
Current configuration : 8416 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.AsI$qw4NVZsqopQkYD2bqo8yn0
!
no aaa new-model
clock timezone Stockholm 1
system mtu routing 1500
vtp interface fastethernet0/9
vtp domain ----
vtp mode transparent
ip subnet-zero
ip routing
ip domain-name core
ip name-server 192.168.0.60
ip name-server 192.168.0.61
ip name-server 4.2.2.2
ip name-server 8.8.8.8
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 600
ip dhcp excluded-address 192.168.10.1 192.168.10.25
ip dhcp excluded-address 192.168.30.1 192.168.30.25
ip dhcp excluded-address 192.168.20.1 192.168.20.25
ip dhcp excluded-address 192.168.100.0 192.168.100.25
ip dhcp excluded-address 192.168.200.0 192.168.200.25
!
ip dhcp pool 1
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 3
!
ip dhcp pool 2
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.0.60 192.168.0.61
lease 3
!
ip dhcp pool PUBLIC_WIFI
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 4.2.2.2
lease 0 1
!
ip dhcp pool 3
network 192.168.11.0 255.255.255.0
default-router 192.168.11.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 10
!
ip dhcp pool 4
network 192.168.40.0 255.255.255.0
default-router 192.168.40.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 10
!
!
login block-for 30 attempts 10 within 20
login delay 5
!
!
!
!
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause mac-limit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 5
name SERVER_FARM
!
vlan 11
name 11
!
vlan 20
name 20
!
vlan 30
name 30
!
vlan 100
name Private_WLAN
!
vlan 200
name Public_WLAN
!
vlan 1000
name EMPTY_VLAN
!
vlan 1337
name leet=D
!
!
!
interface FastEthernet0/1
description LINK TO ISA AND WAN
switchport access vlan 5
switchport mode access
switchport port-security
!
interface FastEthernet0/2
description LINK TO SERVERS
switchport access vlan 5
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/3
description PORTS TO COMPS
switchport access vlan 11
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/4
switchport access vlan 11
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/5
description LINK TO COMPS
switchport access vlan 20
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/6
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/7
description LINK TO COMPS
switchport access vlan 30
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/8
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 1000
switchport trunk encapsulation isl
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 5
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 1337
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface GigabitEthernet0/1
shutdown
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.0.254 255.255.255.0
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip access-group Avantime out
!
interface Vlan11
ip address 192.168.11.254 255.255.255.0
ip access-group ACL out
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip access-group it out
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
ip access-group De out
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
!
interface Vlan200
ip address 192.168.200.254 255.255.255.0
!
interface Vlan1000
no ip address
!
interface Vlan1337
ip address 192.168.40.254 255.255.255.0
ip access-group DG out
!
ip default-gateway 192.168.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
!
ip access-list standard allowed_telnet_address
permit 192.168.0.222 log
deny any log
!
ip access-list extended ACL
deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255 log
permit ip any any
ip access-list extended DG
deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255 log
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255 log
permit ip any any
ip access-list extended De
remark "This ACL restrics access between VLANs"
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255 log
permit ip any any
ip access-list extended it
remark "This ACL restricts access between VLANs"
deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255 log
remark This blocks access to the other VLANS but allowes WAN access
permit ip any any
ip access-list extended test
deny ip 192.168.40.0 0.0.0.255 any log
!
no cdp run
!
control-plane
!
!
end
A cleaned up Config:
Building configuration...
Current configuration : 8416 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.AsI$qw4NVZsqopQkYD2bqo8yn0
!
no aaa new-model
clock timezone Stockholm 1
system mtu routing 1500
vtp interface fastethernet0/9
vtp domain ----
vtp mode transparent
ip subnet-zero
ip routing
ip domain-name core
ip name-server 192.168.0.60
ip name-server 192.168.0.61
ip name-server 4.2.2.2
ip name-server 8.8.8.8
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 600
ip dhcp excluded-address 192.168.10.1 192.168.10.25
ip dhcp excluded-address 192.168.30.1 192.168.30.25
ip dhcp excluded-address 192.168.20.1 192.168.20.25
ip dhcp excluded-address 192.168.100.0 192.168.100.25
ip dhcp excluded-address 192.168.200.0 192.168.200.25
!
ip dhcp pool 1
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 3
!
ip dhcp pool 2
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.0.60 192.168.0.61
lease 3
!
ip dhcp pool PUBLIC_WIFI
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 4.2.2.2
lease 0 1
!
ip dhcp pool 3
network 192.168.11.0 255.255.255.0
default-router 192.168.11.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 10
!
ip dhcp pool 4
network 192.168.40.0 255.255.255.0
default-router 192.168.40.254
dns-server 192.168.0.60 192.168.0.61
domain-name avantime.local
lease 10
!
!
login block-for 30 attempts 10 within 20
login delay 5
!
!
!
!
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause mac-limit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 5
name SERVER_FARM
!
vlan 11
name 11
!
vlan 20
name 20
!
vlan 30
name 30
!
vlan 100
name Private_WLAN
!
vlan 200
name Public_WLAN
!
vlan 1000
name EMPTY_VLAN
!
vlan 1337
name leet=D
!
!
!
interface FastEthernet0/1
description LINK TO ISA AND WAN
switchport access vlan 5
switchport mode access
switchport port-security
!
interface FastEthernet0/2
description LINK TO SERVERS
switchport access vlan 5
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/3
description PORTS TO COMPS
switchport access vlan 11
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/4
switchport access vlan 11
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/5
description LINK TO COMPS
switchport access vlan 20
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/6
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/7
description LINK TO COMPS
switchport access vlan 30
switchport mode access
switchport port-security maximum 1000
switchport port-security
!
interface FastEthernet0/8
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 1000
switchport trunk encapsulation isl
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 1000
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 5
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 1337
switchport mode access
switchport port-security maximum 1000
switchport port-security
spanning-tree portfast
!
interface GigabitEthernet0/1
shutdown
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.0.254 255.255.255.0
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip access-group Avantime out
!
interface Vlan11
ip address 192.168.11.254 255.255.255.0
ip access-group ACL out
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip access-group it out
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
ip access-group De out
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
!
interface Vlan200
ip address 192.168.200.254 255.255.255.0
!
interface Vlan1000
no ip address
!
interface Vlan1337
ip address 192.168.40.254 255.255.255.0
ip access-group DG out
!
ip default-gateway 192.168.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
!
ip access-list standard allowed_telnet_address
permit 192.168.0.222 log
deny any log
!
ip access-list extended ACL
deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.200.0 0.0.0.255 log
deny ip 192.168.11.0 0.0.0.255 192.168.40.0 0.0.0.255 log
permit ip any any
ip access-list extended DG
deny ip 192.168.40.0 0.0.0.255 192.168.11.0 0.0.0.255 log
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255 log
permit ip any any
ip access-list extended De
remark "This ACL restrics access between VLANs"
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.30.0 0.0.0.255 192.168.200.0 0.0.0.255 log
permit ip any any
ip access-list extended it
remark "This ACL restricts access between VLANs"
deny ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255 log
deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255 log
remark This blocks access to the other VLANS but allowes WAN access
permit ip any any
ip access-list extended test
deny ip 192.168.40.0 0.0.0.255 any log
!
no cdp run
!
control-plane
!
!
end
CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.
Comments
-
Options
APA
Member Posts: 959
Apply them 'in' and see them start working
With SVI's the way ACLs are applied should be reversed...
Traffic coming in --> SVI---> to SVI VLAN hosts = Apply ACL in 'out' direction as the traffic wants to exit the SVI to reach the VLAN hosts.
Traffic from hosts within the VLAN ---> SVI ----> to host outside the VLAN = Apply ACL in 'in' direction as hosts are sending into the SVI to reach external hosts.
Confusing I know... but just something extra to remember with SVIs
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
OptionsMorty3
Member Posts: 139
Gonna try that... Lets hope it does the trick! I was thinking "Packet comes in, no check. Packet goes out of SVI, ow ACL;
Source of that vlan? Match
Going to another vlan? Then discard
Going to anything else? Then proceed."
Guess it goes the same when placed on "in", only difference is that it works?CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.