This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
A little ACL help
A little ACL help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-13-2018 10:00 PM
I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...
Where might I be messing this up?
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}
entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}
entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
Where might I be messing this up?
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}
entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}
entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-13-2018 10:03 PM
Tried to make some code tags... but that didn't work for me, either.
