static ACL question - block traffic vlan1 to vlan2 with exceptions

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Jul 24 2013 3:10PM

I have 2 vlans with both VRRP enabled and share the default gateway (firewall).

VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
VLAN2 - no restrictions to VLAN1


policy:

entry VLAN1-to-VLAN2-GW {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/24 ;
} then {
permit ;
}
}

entry VLAN1-to-VLAN2-DNS {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/24 ;
protocol tcp ;
source-port 53;
protocol udp ;
source-port 53;

} then {
permit ;
}
}

entry VLAN1-to-VLAN2-OTHER {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.0/24 ;
} then {
deny ;
}
}


Policy check was successfull.
I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.

Can you please check if I oversee something? XOS ACL are pretty new for me.
(from LNU)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 25 2013 12:05PM

You could try something like this:

entry VLAN1-to-VLAN2-GW {
if match all {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.254/32 ;
}
then {
    permit  ;
    count VL1-VL2-GW
}
}
entry VLAN1-to-VLAN2-DNS {
if match all {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.101/32 ;
    source-port 53;
}
then {
    permit  ;
    count VL1-VL2-DNS
}
}
entry VLAN2 {
if match all {
    source-address 10.99.36.0/24 ;
}
then {
    permit  ;
    count VL2
}
}
entry EverythingElse {
if match all {
}
then {
    deny  ;
    count Deny;
}
}

With "show access-list counter" you can see packets hitting specific rule.
Configure acl on ingress port (where your laptop is connected).
(from Marjan_Rancic)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 26 2013 11:14AM

thanks, but its not working.

If permitting matches, everything is permitted.
If deny all other and permitting matches, everything is denied.
(from LNU)
Photo of Frank

Frank

  • 3,662 Points 3k badge 2x thumb
Try this part:

...
entry EverythingElse {
  if match all {
    source-address 0.0.0.0/0;
  }
  then {
    deny  ;
    count Deny;
  }
}

I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I'll start a thread on that...
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
User had an additional question. Please reference the new topic here: I have multiple VLANs where I want to allow routing all VLANs to/from one particu...

This conversation is no longer open for comments or replies.