cancel
Showing results for 
Search instead for 
Did you mean: 

ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

Rod_Robertson
New Contributor III

 

I have a requiremment :

The server vlans with a VR with enable forwarding configured, should not be able to communicate with each other, though as this is  VR there are a number of P2p network through the infrastructure , to get this VR to the firewall where , the FW acts as the extrenal router and access to other FW and other Vr’s , and ultimatly the internet , for all the configured vlans within the VR.

 MY first though is to create an  ACL that is basically for the vlans I do not want to communicate with each other , if the network is not listed in this ACL they should still be able to access each other

 

Entry Deny_ VlanA_B {

if{

source-address 192.168.20.0/16;

destination-address 192.168.30.0/24;

}

Then {

deny ;

count Deny_VlanA_B ;

]

}

Of course then add the other client vlans in this VR..

 

Assuming this is correct , I have no hardware to test untill I get to site ( remotly )

1 . is the proposed acl correct for what I want to achieve ?

  1. Do I need a return statement ? ie the other way round from B to A
  2. Is this acl added to the VR as configure access-list xxx any ingress
  3.  Or is thsi a global ie VR-default command.

 

 

1 ACCEPTED SOLUTION

Stefan_K_
Valued Contributor

Hi,

are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂  

  1. Yes, imo this is correct.
  2. I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked. 
  3. This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]

Regards

Stefan

View solution in original post

2 REPLIES 2

Rod_Robertson
New Contributor III

Stefan

oopps yest its a /24 …

 

Thanks for the confirmation , I been doing extreme for a nunber of years , though in the clients I look after acl , like thsi do not normally come about hense the question, thanks for the prompt response..

Stefan_K_
Valued Contributor

Hi,

are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂  

  1. Yes, imo this is correct.
  2. I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked. 
  3. This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]

Regards

Stefan

GTM-P2G8KFN