cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs, subnet segregation and you.

ACLs, subnet segregation and you.

EtherNation_Use
Contributor II
Create Date: Dec 2 2012 12:27AM

Hello. I'm hoping someone can at least point me towards something to help me understand how ACLs work and - more importantly - why mine aren't.

Here's the basic run-down. I have a network running using numerous vlans and subnets. Due to a chain of events that would take too long to explain, I need to add another entity to our physical network while keeping them separated. They have two subnets. For our purposes we'll call them 192.168.1.1/24 and 192.168.2.1/24. They also have their own internet feed, edge firewall, etc. We'll call their edge firewall 192.168.2.254. So what I want to do is allow them to pass traffic between 192.168.1.1/24 and 192.168.2.1/24 and then use 192.168.2.254 as their path to anything else and have absolutely no access to any of our existing networks (referred to as 192.168.3.1/24 in my ACL example below) and none of our existing networks should be able to access theirs. So I wrote up a bunch of ACLs I thought would get me what I wanted. However, in my testing it doesn't seem to work.
Here is my test ACL file:
entry block-3-to-1 {
if {
destination-address 192.168.1.1/24;
source-address 192.168.3.1/24;
} then {
count block_one_to;
deny;
}
}
entry block-3-to-2 {
if {
destination-address 192.168.2.1/24;
source-address 192.168.3.1/24;
} then {
count block_two_to;
deny;
}
}
entry block-1-to-3 {
if {
source-address 192.168.1.1/24;
destination-address 192.168.3.1/24;
} then {
count block_one_from;
deny;
}
}
entry block-2-to-3 {
if {
source-address 192.168.2.1/24;
destination-address 192.168.3.1/24;
} then {
count block_two_from;
deny;
}
}
entry forward-1-to-2 {
if {
source-address 192.168.1.1/24;
destination-address 192.168.2.1/24;
} then {
count redirect_one_two;
redirect 192.168.2.1;
}
}
entry forward-2-to-1 {
if {
source-address 192.168.2.1/24;
destination-address 192.168.1.1/24;
} then {
count redirect_two_one;
redirect 192.168.1.1/24;
}
}
entry forward-1-ext {
if {
source-address 192.168.1.1/24;
} then {
redirect 192.168.2.254;
}
}
entry forward-2-ext {
if {
source-address 192.168.2.1/24;
} then {
redirect 192.168.2.254;
}
} (from Doug_Jaquays)
5 REPLIES 5

EtherNation_Use
Contributor II
Create Date: Dec 2 2012 12:55AM

And just to make sure it's covered

Image Selected: primary
Image Booted: primary
Primary ver: 15.1.2.12
patch1-2
System Type: X450e-48p

(from Doug_Jaquays)
GTM-P2G8KFN