This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

Go to solution
Rod_Robertson
New Contributor III

‎12-18-2020 10:27 AM

 

I have a requiremment :

The server vlans with a VR with enable forwarding configured, should not be able to communicate with each other, though as this is  VR there are a number of P2p network through the infrastructure , to get this VR to the firewall where , the FW acts as the extrenal router and access to other FW and other Vr’s , and ultimatly the internet , for all the configured vlans within the VR.

 MY first though is to create an  ACL that is basically for the vlans I do not want to communicate with each other , if the network is not listed in this ACL they should still be able to access each other

 

Entry Deny_ VlanA_B {

if{

source-address 192.168.20.0/16;

destination-address 192.168.30.0/24;

}

Then {

deny ;

count Deny_VlanA_B ;

]

}

Of course then add the other client vlans in this VR..

 

Assuming this is correct , I have no hardware to test untill I get to site ( remotly )

1 . is the proposed acl correct for what I want to achieve ?

  1. Do I need a return statement ? ie the other way round from B to A
  2. Is this acl added to the VR as configure access-list xxx any ingress
  3.  Or is thsi a global ie VR-default command.

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Stefan_K_
Valued Contributor

‎12-18-2020 10:36 AM

Hi,

are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂  

  1. Yes, imo this is correct.
  2. I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked. 
  3. This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]

Regards

Stefan

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Rod_Robertson
New Contributor III

‎12-18-2020 11:05 AM

Stefan

oopps yest its a /24 …

 

Thanks for the confirmation , I been doing extreme for a nunber of years , though in the clients I look after acl , like thsi do not normally come about hense the question, thanks for the prompt response..

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎12-18-2020 10:36 AM

Hi,

are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂  

  1. Yes, imo this is correct.
  2. I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked. 
  3. This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]

Regards

Stefan

0 Kudos
GTM-P2G8KFN