- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-18-2020 10:27 AM
I have a requiremment :
The server vlans with a VR with enable forwarding configured, should not be able to communicate with each other, though as this is VR there are a number of P2p network through the infrastructure , to get this VR to the firewall where , the FW acts as the extrenal router and access to other FW and other Vr’s , and ultimatly the internet , for all the configured vlans within the VR.
MY first though is to create an ACL that is basically for the vlans I do not want to communicate with each other , if the network is not listed in this ACL they should still be able to access each other
Entry Deny_ VlanA_B {
if{
source-address 192.168.20.0/16;
destination-address 192.168.30.0/24;
}
Then {
deny ;
count Deny_VlanA_B ;
]
}
Of course then add the other client vlans in this VR..
Assuming this is correct , I have no hardware to test untill I get to site ( remotly )
1 . is the proposed acl correct for what I want to achieve ?
- Do I need a return statement ? ie the other way round from B to A
- Is this acl added to the VR as configure access-list xxx any ingress
- Or is thsi a global ie VR-default command.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-18-2020 10:36 AM
Hi,
are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂
- Yes, imo this is correct.
- I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked.
- This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]
Regards
Stefan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-18-2020 11:05 AM
Stefan
oopps yest its a /24 …
Thanks for the confirmation , I been doing extreme for a nunber of years , though in the clients I look after acl , like thsi do not normally come about hense the question, thanks for the prompt response..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-18-2020 10:36 AM
Hi,
are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂
- Yes, imo this is correct.
- I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked.
- This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]
Regards
Stefan