Keeping Your Internal Network Secure From The Guest VLAN -- by Nicholas Williams
Example Network:
VLAN 2 10.6.2.0 255.255.255.0
VLAN 8 10.6.8.0 255.255.255.0
Guest VLAN 200 10.6.200.0 255.255.255.0 - Default Gateway 10.6.200.1
I wanted to keep our internal network secure preventing the guest VLAN access our other internal VLANs on our Brocade’s.
Prevents access to ALL 10.6.2.0 255.255.255.0 networks.
access-list 122 deny ip any 10.6.2.0 0.0.0.255
*****Prevents Management access to the Default Gateway on the Guest VLAN. The ports include telnet, SSH, HTTP, HTTPS, and SNMP, but allows DHCP.
access-list 122 deny tcp any host 10.6.200.1 eq ssh
access-list 122 deny tcp any host 10.6.200.1 eq http
access-list 122 deny tcp any host 10.6.200.1 eq ssl
access-list 122 deny tcp any host 10.6.200.1 eq 161
access-list 122 deny udp any host 10.6.200.1 eq snmp
access-list 122 permit udp any any eq bootps
Allows access to the Default Gateway for Internet access.
access-list 122 permit ip 10.6.200.0 0.0.0.255 any
The order is VERY important. With any access list there is an implicit deny all
rule. Access lists are processed from the top down. The first rule that matches
the traffic is the rule that is applied.
conf t
int ve 200
ip access-group 122 in
Final config result
access-list 122 deny ip any 10.6.2.0 0.0.0.255
access-list 122 deny ip any 10.6.8.0 0.0.0.255
access-list 122 deny tcp any host 10.6.200.1 eq telnet
access-list 122 deny tcp any host 10.6.200.1 eq ssh
access-list 122 deny tcp any host 10.6.200.1 eq http
access-list 122 deny tcp any host 10.6.200.1 eq ssl
access-list 122 deny tcp any host 10.6.200.1 eq 161
access-list 122 deny udp any host 10.6.200.1 eq snmp
access-list 122 permit udp any any eq bootps
access-list 122 permit ip 10.6.200.0 0.0.0.255 any
conf t
int ve 200
ip access-group 122 in
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.