Question about dynamic ACL

  • 0
  • 1
  • Question
  • Updated 4 years ago
Create Date: Jul 17 2012 6:36AM

Hi experts, I want to implement ACL in my work but I have a problem. I have 3 VLANs  :


vlan 4 : administrative users
vlan 5: call center users
vlan 10 : servers


I want to block traffic from vlan 5 to vlan 4, but I dont want to block traffic from vlan 4 to vlan 5.




I did 2 dynamic ACL :


entry BlockTCP-to-172.17.4.0 {
if {
destination-address 172.17.4.0/24;
protocol tcp;
   } then {
deny true;
     }
}




entry BlockUDP-to-172.17.4.0 {
if {
destination-address 172.17.4.0/24;
protocol udp;
  } then {
deny true;
                       }
}


These dynamic ACL, I applied to vlan 5 but the traffic is blocked in both directions. 


Can anyone help me?


Sorry for my bad english language.


Regards


JL

(from jonatan_lezcano)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 18 2012 8:52AM

Hi johnadq,

try this:
entry BlockTCP-to-172.17.4.0
{if
{destination-address 172.17.4.0/24;
protocol tcp;
tcp-flags syn;
}
then
{
deny;
}
}

--
Jarek

(from Jaroslaw_Kasjaniuk)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 18 2012 3:58PM

Why don't you just go ahead and disable ipforwarding between the VLANs.

di ipforwarding <vlan name>

(from Arpit_Bhatt)

This conversation is no longer open for comments or replies.