cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3828
Views
2
Helpful
2
Replies

ACL to only allow Internet

HwGregg8
Level 1
Level 1

I would like to setup an ACL to only allow, Internet,DHCP,DNS. No inter vlan routing. Would the following work?

This will be on a pair of 7k's

Thanks for your Help!

Greg

ip access-list Internet_Only

deny ip any 10.0.0.0   0.255.255.255

deny ip any 172.16.0.0  0.15.255.255

deny ip any 192.168.0.0  0.0.255.255

deny ip 10.0.0.0  0.255.255.255 any

deny ip 172.16.0.0  0.15.255.255  any

deny ip 192.168.0.0  0.0.255.255   any

permit ip any    172.31.x.x (GateWay)

permit tcp any any eq www

permit tcp any any eq 443

permit UDP 172.31.220.200 any  eq 67

permit UDP 172.31.220.200 any  eq 68

permit UDP 172.31.2.95  any any eq domain

permit UDP 172.31.2.95  eq  domain any

permit TCP 172.31.2.95  any any eq domain

permit TCP 172.31.2.95  eq domain any

deny ip any any log

2 Replies 2

gwinn.joe
Level 1
Level 1

Hey Howard,

It depends where you're planning to apply this ACL and what your internal subnets and vlans are if it will have the desired results.  It looks like your internal subnets are all the private address spaces, so just for example purposes let's say your network looks like this:

Vlan 10 - 10.0.0.0/8

vlan 20 - 172.16.0.0/12

vlan 30 - 192.168.0.0/16.

ACL's are sequential, once a packet matches a line of the ACL it follows that action and does not check any other lines.  If you applied that ACL to, let's say, the switches uplink port (firewall or internet access port) your first 6 lines of the ACL block all traffic for the 3 subnets so your DHCP and DNS traffic gets dropped too.  You want to make sure you put the more specific rules on top (before the "deny ip any").

For inter vlan routing, you have to use vlan access-maps and filters. Those can be a little tricky and they don't filter by port or protocol, they only filter by IP address, also they are direction specific, you can't apply one "in" or "out" like you do on a port ACL, you just apply it and if a packet matches the access map and is trying to enter or exit the vlan, it is dropped.

May need a little more info on where you're trying to control and your network layout to build both a PACL and VACL but I hope that gives you a little more insight on both topics

Thanks,

Joe

twgraham
Level 1
Level 1

The unwanted IP address space is much larger than the RFC 1918 addresses you have included in your ACL. f you are really fastidious about not letting in undesirable traffic consult such sites as The Bogon Reference - Team Cymru for lists of bogons to be denied.  (It is of course not the only site but it is the easiest for me to remember)

Also the easiest way to prevent inter-VLAN routing might be to put each VLAN in its own VRF and leak the global route to the global routing table.  Then you have independent control over what each VLAN is able to access.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco