Layer 3 switching and ACLs

Adam Tyler

Hello ITPro! So I've got that CCNA and I am starting to put some of my knowledge into practice. Purchased an older layer 3 Cisco switch off ebay and reached out to my "go to" VAR to get a recent build of firmware. Enabled a couple of VLAN interfaces and set out to do some network segregation and lock down ports between VLANs.

I spent the better part of 2 hours just trying to configure ACLs to allow me to join a Windows workstation to a domain with the domain controller sitting on a different VLAN. Wow, that was a little tougher than I expected. At the bottom of this post is my current ACL config.

Question 1: Is there no way to get the switch to respect return traffic automatically? I have played with reflect NAT on a full router a few times, but it seems that is dedicated more for instances where you have a WAN/LAN setup to the public internet.

Question 2: I just saw a post on ITPro about switches only supporting inbound ACLs? Is that true. The cli sure allows you to attach and "in" and "out" ACL to an interface, I just wanted to confirm.

Question 3: Is there a better way!? Any way to create groups of ports or do ACLs just get massive?

Lab setup:
Server Network: 192.168.99.20/24  <-----  This network is connected to a UTM firewall device and routed to the Cisco switch, this VLAN does not exist directly on the switch.  There is not port blocking on the UTM, wide open.  Routing works prior to implementing Cisco ACLs.

Workstation Network: 192.168.95.0/27

Domain controller(s): 192.168.99.20 and 192.168.99.22

interface vlan 5: 192.168.95.1 255.255.255.224
interface vlan 1: 192.168.98.1 255.255.255.0 <-----  Connected to the network which routes between UTM and switch.  GW address to UTM is 192.168.98.1

ACL config that allowed me to successfully join workstations to the domain and connect to SYSVOL folder via Windows Explorer.

ip access-list extended VLAN1inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.98.0 0.0.0.255 192.168.95.0 0.0.0.31 eq 3389
 permit ospf any any
 permit icmp any 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 139 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 139 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 49152 65535 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 49152 65535 192.168.95.0 0.0.0.31
 deny   ip 192.168.0.0 0.0.255.255 192.168.95.0 0.0.0.31 log
 permit ip any any

ip access-list extended VLAN6inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.95.0 0.0.0.31 eq 3389 192.168.98.0 0.0.0.255
 permit udp any host 192.168.99.20 eq domain
 permit tcp any host 192.168.99.20 eq domain
 permit udp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.20 eq 389
 permit udp any host 192.168.99.20 eq 389
 permit tcp any host 192.168.99.20 eq 636
 permit udp any host 192.168.99.20 eq ntp
 permit tcp any host 192.168.99.20 eq 88
 permit udp any host 192.168.99.20 eq 88
 permit tcp any host 192.168.99.20 eq 42
 permit udp any host 192.168.99.20 eq nameserver
 permit tcp any host 192.168.99.20 eq 445
 permit tcp any host 192.168.99.20 eq 139
 permit udp any host 192.168.99.20 eq netbios-ss
 permit tcp any host 192.168.99.20 eq 135
 permit tcp any host 192.168.99.20 eq 137
 permit udp any host 192.168.99.20 eq netbios-ns
 permit tcp any host 192.168.99.20 range 1025 5000
 permit tcp any host 192.168.99.20 range 49152 65535
 permit tcp any host 192.168.99.22 eq 389
 permit udp any host 192.168.99.22 eq 389
 permit tcp any host 192.168.99.22 eq 636
 permit udp any host 192.168.99.22 eq ntp
 permit tcp any host 192.168.99.22 eq 88
 permit udp any host 192.168.99.22 eq 88
 permit tcp any host 192.168.99.22 eq 42
 permit udp any host 192.168.99.22 eq nameserver
 permit tcp any host 192.168.99.22 eq 445
 permit tcp any host 192.168.99.22 eq 139
 permit udp any host 192.168.99.22 eq netbios-ss
 permit tcp any host 192.168.99.22 eq 135
 permit tcp any host 192.168.99.22 eq 137
 permit udp any host 192.168.99.22 eq netbios-ns
 permit tcp any host 192.168.99.22 range 1025 5000
 permit tcp any host 192.168.99.22 range 49152 65535
 deny   ip any 192.168.0.0 0.0.255.255 log
 permit ip any any

Ronnie Wong

@Adam-Tyler said in Layer 3 switching and ACLs:

Hello ITPro! So I've got that CCNA and I am starting to put some of my knowledge into practice. Purchased an older layer 3 Cisco switch off ebay and reached out to my "go to" VAR to get a recent build of firmware. Enabled a couple of VLAN interfaces and set out to do some network segregation and lock down ports between VLANs.

I spent the better part of 2 hours just trying to configure ACLs to allow me to join a Windows workstation to a domain with the domain controller sitting on a different VLAN. Wow, that was a little tougher than I expected. At the bottom of this post is my current ACL config.

Question 1: Is there no way to get the switch to respect return traffic automatically? I have played with reflect NAT on a full router a few times, but it seems that is dedicated more for instances where you have a WAN/LAN setup to the public internet.

You'll have to give me an example of what you're trying to do...I'm not sure if it can or cannot. You have to remember what a switch looks at, Layer 2 data. Layer 2 data by it's nature doesn't look at stateful information. A switch only looks at what's in the Layer 2 header. But give me an example of what you mean, I may be totally answering on the wrong track here.

Question 2: I just saw a post on ITPro about switches only supporting inbound ACLs? Is that true. The cli sure allows you to attach and "in" and "out" ACL to an interface, I just wanted to confirm.

I see you're working on a layer 3 switch, so you're not actually sure if you're configuring Layer 2 ACLs or Layer 3 ACLs. I'm making an assumption that you're really creating a layer 3 ACL instead: check out this article for Layer 2 ACL info

Question 3: Is there a better way!? Any way to create groups of ports or do ACLs just get massive?

Yes. you can create Network Object Groups and Service Object Groups to work and do what you want too. Check it out here. (I like the examples here so you can see the actual configs)

Lab setup:
Server Network: 192.168.99.20/24  <-----  This network is connected to a UTM firewall device and routed to the Cisco switch, this VLAN does not exist directly on the switch.  There is not port blocking on the UTM, wide open.  Routing works prior to implementing Cisco ACLs.

Workstation Network: 192.168.95.0/27

Domain controller(s): 192.168.99.20 and 192.168.99.22

interface vlan 5: 192.168.95.1 255.255.255.224
interface vlan 1: 192.168.98.1 255.255.255.0 <-----  Connected to the network which routes between UTM and switch.  GW address to UTM is 192.168.98.1

ACL config that allowed me to successfully join workstations to the domain and connect to SYSVOL folder via Windows Explorer.

ip access-list extended VLAN1inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.98.0 0.0.0.255 192.168.95.0 0.0.0.31 eq 3389
 permit ospf any any
 permit icmp any 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 139 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 139 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 49152 65535 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 49152 65535 192.168.95.0 0.0.0.31
 deny   ip 192.168.0.0 0.0.255.255 192.168.95.0 0.0.0.31 log
 permit ip any any

ip access-list extended VLAN6inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.95.0 0.0.0.31 eq 3389 192.168.98.0 0.0.0.255
 permit udp any host 192.168.99.20 eq domain
 permit tcp any host 192.168.99.20 eq domain
 permit udp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.20 eq 389
 permit udp any host 192.168.99.20 eq 389
 permit tcp any host 192.168.99.20 eq 636
 permit udp any host 192.168.99.20 eq ntp
 permit tcp any host 192.168.99.20 eq 88
 permit udp any host 192.168.99.20 eq 88
 permit tcp any host 192.168.99.20 eq 42
 permit udp any host 192.168.99.20 eq nameserver
 permit tcp any host 192.168.99.20 eq 445
 permit tcp any host 192.168.99.20 eq 139
 permit udp any host 192.168.99.20 eq netbios-ss
 permit tcp any host 192.168.99.20 eq 135
 permit tcp any host 192.168.99.20 eq 137
 permit udp any host 192.168.99.20 eq netbios-ns
 permit tcp any host 192.168.99.20 range 1025 5000
 permit tcp any host 192.168.99.20 range 49152 65535
 permit tcp any host 192.168.99.22 eq 389
 permit udp any host 192.168.99.22 eq 389
 permit tcp any host 192.168.99.22 eq 636
 permit udp any host 192.168.99.22 eq ntp
 permit tcp any host 192.168.99.22 eq 88
 permit udp any host 192.168.99.22 eq 88
 permit tcp any host 192.168.99.22 eq 42
 permit udp any host 192.168.99.22 eq nameserver
 permit tcp any host 192.168.99.22 eq 445
 permit tcp any host 192.168.99.22 eq 139
 permit udp any host 192.168.99.22 eq netbios-ss
 permit tcp any host 192.168.99.22 eq 135
 permit tcp any host 192.168.99.22 eq 137
 permit udp any host 192.168.99.22 eq netbios-ns
 permit tcp any host 192.168.99.22 range 1025 5000
 permit tcp any host 192.168.99.22 range 49152 65535
 deny   ip any 192.168.0.0 0.0.255.255 log
 permit ip any any

Adam Tyler

Thanks for your reply! I guess I sort of feel like an idiot at this point. I did enable routing on this layer 3 switch and it is actively running OSPF with an edge firewall device of mine (None Cisco device). How do I tell if the access list I created is a layer 2 access list or layer 3 access list? They were all created using commands within the CCNA course on ITPro using source IP/dest IP and source Port/dest port (extended ACL). The fact that it uses IP addresses in the ACL would lead me to believe it is a layer 3 ACL.

If it is a layer 3 ACL, are there any other tricks to get it to respect return traffic? Other tools beyond reflect NAT?

Regards,
Adam Tyler

Adam Tyler

Hey Ronnie, I hadn't seen a reply as of yet and thought I would try to bring more context. Below is a basic network diagram of the lab. Below that is the relevant portions of the Cisco Catalyst config.

My original question surrounded around how to get the ACLs to respect return traffic automatically rather than having to create return ACL entries manually in this situation.

Regards,
Adam Tyler

alt text

version 15.0
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname CAT3560G-01
!
boot-start-marker
boot-end-marker
!
!
!
username baduser privilege 15 secret 5 redacted
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
ip domain-name domain.local
ip name-server 192.168.99.20
ip name-server 192.168.99.22
!
vlan internal allocation policy ascending
lldp run
!
ip ssh version 2
!
! 
interface Vlan1
 ip address 192.168.98.5 255.255.255.0
 ip access-group VLAN1inbound in
 ip ospf message-digest-key 1 md5 5ARAdmin56784576
!
interface Vlan6
 ip address 192.168.95.1 255.255.255.224
 ip access-group VLAN6inbound in
!
router ospf 1
 router-id 1.1.1.2
 area 0 authentication message-digest
 network 192.168.95.0 0.0.0.31 area 0
 network 192.168.98.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.98.1 111
!
ip access-list standard VTY-Protect
 permit 10.11.10.0 0.0.0.255
 permit 192.168.98.0 0.0.0.255
!
ip access-list extended VLAN1inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.98.0 0.0.0.255 192.168.95.0 0.0.0.31 eq 3389
 permit ospf any any
 permit icmp any 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq domain 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 139 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.20 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 389 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 636 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq ntp 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq 88 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 42 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq nameserver 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 445 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 139 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.20 range 49152 65535 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ss 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 135 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 eq 137 192.168.95.0 0.0.0.31
 permit udp host 192.168.99.22 eq netbios-ns 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 1025 5000 192.168.95.0 0.0.0.31
 permit tcp host 192.168.99.22 range 49152 65535 192.168.95.0 0.0.0.31
 deny   ip 192.168.0.0 0.0.255.255 192.168.95.0 0.0.0.31 log
 permit ip any any
ip access-list extended VLAN6inbound
 permit ip host 192.168.99.21 host 192.168.95.2 log
 permit ip host 192.168.95.2 host 192.168.98.21 log
 permit tcp 192.168.95.0 0.0.0.31 eq 3389 192.168.98.0 0.0.0.255
 permit udp any host 192.168.99.20 eq domain
 permit tcp any host 192.168.99.20 eq domain
 permit udp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.22 eq domain
 permit tcp any host 192.168.99.20 eq 389
 permit udp any host 192.168.99.20 eq 389
 permit tcp any host 192.168.99.20 eq 636
 permit udp any host 192.168.99.20 eq ntp
 permit tcp any host 192.168.99.20 eq 88
 permit udp any host 192.168.99.20 eq 88
 permit tcp any host 192.168.99.20 eq 42
 permit udp any host 192.168.99.20 eq nameserver
 permit tcp any host 192.168.99.20 eq 445
 permit tcp any host 192.168.99.20 eq 139
 permit udp any host 192.168.99.20 eq netbios-ss
 permit tcp any host 192.168.99.20 eq 135
 permit tcp any host 192.168.99.20 eq 137
 permit udp any host 192.168.99.20 eq netbios-ns
 permit tcp any host 192.168.99.20 range 1025 5000
 permit tcp any host 192.168.99.20 range 49152 65535
 permit tcp any host 192.168.99.22 eq 389
 permit udp any host 192.168.99.22 eq 389
 permit tcp any host 192.168.99.22 eq 636
 permit udp any host 192.168.99.22 eq ntp
 permit tcp any host 192.168.99.22 eq 88
 permit udp any host 192.168.99.22 eq 88
 permit tcp any host 192.168.99.22 eq 42
 permit udp any host 192.168.99.22 eq nameserver
 permit tcp any host 192.168.99.22 eq 445
 permit tcp any host 192.168.99.22 eq 139
 permit udp any host 192.168.99.22 eq netbios-ss
 permit tcp any host 192.168.99.22 eq 135
 permit tcp any host 192.168.99.22 eq 137
 permit udp any host 192.168.99.22 eq netbios-ns
 permit tcp any host 192.168.99.22 range 1025 5000
 permit tcp any host 192.168.99.22 range 49152 65535
 deny   ip any 192.168.0.0 0.0.255.255 log
 permit ip any any
!
!
!
!
!
!
line con 0
 exec-timeout 60 0
 privilege level 15
 logging synchronous
line vty 0 4
 access-class VTY-Protect in
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 access-class VTY-Protect in
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input ssh
!
ntp server 192.168.99.20 prefer
ntp server 192.168.99.22
end

Ronnie Wong

@Adam-Tyler,

It's been a busy, busy week.

ACLs work in the way you think but through firewalls. I don't believe ACLs working at Layer 2 do so.

On a Firewall, when you send traffic through it works based on an ACL. Then it creates a temporary ACL to allow the return traffic back through.

Adam Tyler

Thanks Ronnie. So if my AD servers in this scenario were connected directly to the VLAN1 network segment of the switch and I had a block all "in" ACL on VLAN1, the return traffic would be respected based on the VLAN6 ACL?

You mention a layer two ACL in your most recent reply.. Are these ACLs I am using on the switch not layer 3? How do you tell what you are using, I would have thought they were layer 3....?

Regards,
Adam Tyler

Ronnie Wong

@Adam-Tyler,

You'll probably have to check on the Switch IOS to see if it supports what is called reflexive ACLs.

Remember that regardless of whether the ACL is on a router or switch, both standard and extended ACLs by default are stateful. So they will not check the state. In the Router IOS if you configure it with the firewall package, they will generally support reflexive ACLS but this is on an IOS by IOS basis.

So without knowing or testing which version you're running, I would make the assumption that the ACL is checking every single packet and not the stateful information.

Adam Tyler

Thanks Ronnie. I did play with reflect nat a little bit, but all the documentation I could find appeared it was really only to be used in a LAN/WAN situation rather than internal. Here is the model/firmware build:

Switch Ports Model SW Version SW Image

1 52 WS-C3560G-48TS 15.0(2)SE10a C3560-IPSERVICESK9-M

Ronnie Wong

@Adam-Tyler,

The 3560 Layer 3 switch doesn't support CBAC, IOS FW, ZBFW, or NAT.

Ronnie Wong

With no other responses, I've marked this as solved.