This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL on G2 to only allow one IP address to connect

ACL on G2 to only allow one IP address to connect

Go to solution
dj_mcadams
New Contributor

‎12-02-2020 05:31 PM

I need to restrict access to my IP cameras from one IP which is 10.10.10.104/24

I have 8 IP cameras and I’m just trying to get this working with one for now.I have the following to allow it and that obviously works, but I cant figure out the else if/else syntax. I’d like to just have the below and add else { deny;} but it doesn't work. Thoughts? 

 

entry IPCameraACL{
if match all {
source-address 10.10.10.104/32 ;
destination-address 10.10.10.52/32 ;
} then {
permit ;
}

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Stefan_K_
Valued Contributor

‎12-02-2020 05:35 PM

Greetings,

entry IPCameraACL_deny{
if match all {
destination-address 10.10.10.52/32 ;
} then {
deny;
}

 

Make sure to also allow the other way round (from 10.10.10.52/32 to 10.10.10.104/32) with another entry before the deny entry.. The Switch isn’t a stateful inspection firewall.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
dj_mcadams
New Contributor

‎12-02-2020 07:18 PM

I got this working using the following. The server is 10.10.16.104/32 and the network I wanted to lockdown is 10.10.10.0/24 so only the server can access this network:

 

entry IPCameraACL_Allow
{
     if match all
     {
     source-address 10.10.16.104/32 ;
     destination-address 10.10.10.0/24 ;
     }
     then
     {
     permit;
     }
}

entry IPCameraACL_Deny
{
     if match all
     {
     destination-address 10.10.10.0/24 ;
     }
     then
     {
     deny;
     }
}

0 Kudos

Go to solution
dj_mcadams
New Contributor

‎12-02-2020 05:38 PM

Thank you! What if I have multiple destination IPs? Do I have to drop the match all? Or do anything else? I only want 10.10.10.104/32 to be able to connect to these IPs and no other source IP.

 


entry IPCameraACL_deny{
if match all {
destination-address 10.10.10.52/32 ;

destination-address 10.10.10.53/32 ;

destination-address 10.10.10.54/32 ;

destination-address 10.10.10.55/32 ;
} then {
deny;
}

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎12-02-2020 05:35 PM

Greetings,

entry IPCameraACL_deny{
if match all {
destination-address 10.10.10.52/32 ;
} then {
deny;
}

 

Make sure to also allow the other way round (from 10.10.10.52/32 to 10.10.10.104/32) with another entry before the deny entry.. The Switch isn’t a stateful inspection firewall.

0 Kudos
GTM-P2G8KFN