ACL on Trunk Port – Security Configuration

aclSecuritytrunk

our network infrastructure as showing the image below

I had to give an external company (dealing with Face recognition) software an access to both the server (172.26.33.56) and the IP Camera (172.26.35.28) which are existed in our LAN 172.26.x.x/16 as showing.

their access has to be only permitted on these 2 machines and to the internet.
-gateway IP (Cisco ASA internal):10.10.10.6
-DNS 1 IP: 172.26.33.2
-DNS 2 IP: 172.26.33.4

I have configured an ACL to allow their access only to (IP Camera,Server,Internet)and applied the ACL on the trunk port Fa0/19 connecting between access switch 1 & access Switch 2 as per below knowing that STA6-2 is Access Switch 1 in the diagram:

……………………………..
the problem is that after applying the ACL , server still have access to other resources on the LAN (example My PC 172.26.39.147)

so please enlighten me on how to fix this.

Regards,
Ethem

Best Answer

Your mistake is that the trunk interface is a layer-2 interface, but you are trying to apply a layer-3 ACL. Layer-2 switching doesn't look at the layer-3 addressing, which is what your ACL is using. You need to apply the ACL to a layer-3 (SVI) interface.

The point of VLANs is that traffic cannot get from one VLAN to another VLAN, except through a router (or routing module in a layer-3 switch). A trunk keeps traffic in each VLAN separate, just as if you had separate physical switches, by tagging the frames with VLAN tags.

Routing will, by default, route traffic from one VLAN to another, but you can place ACLs in the routed interfaces (those with IP addresses assigned to them) to allow or block specific traffic.

You are using extended ACLs, so you should place them as close to the traffic source as possible.

Related Solutions

Cisco – How to configure OOB access via IP

Depending on the hardware you're talking about you should take different considerations.

For instance Cisco provides a dedicated set of port/RAM and flash for OOB access on SUP2T, so you would be able to access to your device even when RP hangs. OTOH, in some Juniper boxes, the management port is attached directly to the RE and so you should easily hang your router from there.

That said, I would recommend you to put a management CPE between your devices and your OOB internet access and set up a GRE tunnel between it and your central management server.

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Best Answer

Related Solutions

Cisco – How to configure OOB access via IP

HP Procurve 5406zl – ACL issue

Related Topic