I would like to secure the VLAN my servers are on, so that only those with an IP in a certain subnet can administer them. Are standard ACLs on the layer 3 switch an appropriate method to achieve this?
-
Solved ACLs for VLAN security
-
@Craig-Walsh said in ACLs for VLAN security:
I would like to secure the VLAN my servers are on, so that only those with an IP in a certain subnet can administer them. Are standard ACLs on the layer 3 switch an appropriate method to achieve this?
When talking about this type of control. You're going to have to go beyond the standard ACL perhaps consider extended ACLs instead.
Using a standard ACL, remember that you're only
permit
ordeny
is based on source IP only. If you use Standard ACL to limit it to your specified subnet, by default all other IP ranges are denied by the implicit deny. This means that other subnets that you may wan to use the servers will be blocked too.If you use an extended ACL, you can limit access by source and destination as well as protocol. This will require you to think carefully though about what traffic you want to allow access. The placement order of your access entries will have to be considered so that you can not only allow:
- a single subnet for management ( subnet, protocols used)
- allow for server access by users (subnets, protocols)
- deny of all other traffic
Let us know if you have additional questions.
Cordially,
Ronnie Wong
Edutainer Manager, ITProTV*if the post above has answered the question, please mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV. -
Thanks @Ronnie-Wong, just watching the section on extended ACLs now! All I need to do now, is work out what ports and protocols to expose to users so they can log on, have policies applied and all that other good stuff.
-
Right on! remember take the time to work it out logically on paper. Work your ACE (Access Control Entries) from the most specific to the most general (top to bottom in order).
Cordially,
Ronnie Wong
Edutainer Manager, ITProTV*if the post above has answered the question, please mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV.