May 29, 2011 2 Comments
How to protect a OOB Management VLAN from access, or protect a VLAN from being directly plugged into by a switch from another VLAN (with another subnet, or another DHCP server)
Now some of this is still under testing, but I feel that I have pretty much mastered the art of ACLs to protect a VLAN such as one used to manage a bunch of devices such as routers, switches, firewalls, UPS, environmental monitors, or just traffic that you would rather not see have access to a VLAN or devices plugged into a Procurve switch.
Now, it is a best practise network wise to use ACLs to block traffic at the source. So this may seem a little backwords, but I want to use this ACL as a last line of defence to block traffic on the port as it leaves out of the vlan to the device. So we will be using the “out” and not the “in” for the first part.
Another important thing to remember to about ACLs, is that if you do not list a permit or deny statement anything not on the list will be blocked. So as a best practise I will only list those IP addresses that need access. Also you have the option of using an extended or a standard ACL list. Again I will keep this simple, if you want more flexability to block only certain protocols or even access to only a portion of a subnet then you should look into extended ACLs, for this exercise we will only be permiting source IP addresses (all protocols) using a standard ACL.
Note: these ACLs are considered RACLs, and are only applied if IP Routing is enabled on the switch (Layer 3), if this is just a Layer 2 switch then you may want to try a VACL instead. I will probably post information on a VLAN ACL later, but it controls all traffic entering a switch from a particular VLAN. So with that said I’m assuming you will be using a Layer 3 enabled switch for this exercise.
Here is the ACL I will create for access to devices on my Out Of Band (OOB) Mangement Interfaces on my devices:
ip access-list standard "OOB-Access-out" 1 remark "OOB subnet" 2 permit 192.168.0.0 0.0.0.255 10 remark "NPM System" 11 permit host 192.168.13.64 20 remark "IT Department" 21 permit 192.168.82.0 0.0.0.255 30 remark "Managemnet Workstation" 31 permit host 192.168.12.54
Now the “Out” part means as the packet leaves out a port on the switch it will be applied. This can mean a number of things but again it is important to keep it simple. so now and just focus on the primary goal of only allowing authorized subnets access to management devices.
Applying to your vlan is simple
vlan 6 ip access-group OOB-Access-out out
Observe I used out instead of in. In our next example I will use an “in” so that I block and avoid multinetting my vlan with unauthorised traffic.
ip access-list standard "OOB-Access-in" 1 remark "OOB subnet" 2 permit 192.168.0.0 0.0.0.255
Applying the VLAN is the same but remember the “in” instead of the out
vlan 6 ip access-group OOB-Access-in in
The above Standard ACL should only allow devices configured with an IP address 192.168.0.0/24 to access this VLAN, you may need to modify this a bit to allow other traffic, but with a little testing this could protect your network from for example someone pluging a cable in one jack for one network into the other network with another VLAN causing all sorts of strange traffic such as a DHCP handing out the wrong IP addresses.
There is a lot more you can do with ACLs, and extended ACLs offer much more, but I would recommend getting used to how standard ACLs first, then work with extended ACLs.