This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACLs, subnet segregation and you.

ACLs, subnet segregation and you.

EtherNation_Use
Contributor II

‎01-07-2014 09:57 PM

Create Date: Dec 2 2012 12:27AM

Hello. I'm hoping someone can at least point me towards something to help me understand how ACLs work and - more importantly - why mine aren't.

Here's the basic run-down. I have a network running using numerous vlans and subnets. Due to a chain of events that would take too long to explain, I need to add another entity to our physical network while keeping them separated. They have two subnets. For our purposes we'll call them 192.168.1.1/24 and 192.168.2.1/24. They also have their own internet feed, edge firewall, etc. We'll call their edge firewall 192.168.2.254. So what I want to do is allow them to pass traffic between 192.168.1.1/24 and 192.168.2.1/24 and then use 192.168.2.254 as their path to anything else and have absolutely no access to any of our existing networks (referred to as 192.168.3.1/24 in my ACL example below) and none of our existing networks should be able to access theirs. So I wrote up a bunch of ACLs I thought would get me what I wanted. However, in my testing it doesn't seem to work.
Here is my test ACL file:
entry block-3-to-1 {
if {
destination-address 192.168.1.1/24;
source-address 192.168.3.1/24;
} then {
count block_one_to;
deny;
}
}
entry block-3-to-2 {
if {
destination-address 192.168.2.1/24;
source-address 192.168.3.1/24;
} then {
count block_two_to;
deny;
}
}
entry block-1-to-3 {
if {
source-address 192.168.1.1/24;
destination-address 192.168.3.1/24;
} then {
count block_one_from;
deny;
}
}
entry block-2-to-3 {
if {
source-address 192.168.2.1/24;
destination-address 192.168.3.1/24;
} then {
count block_two_from;
deny;
}
}
entry forward-1-to-2 {
if {
source-address 192.168.1.1/24;
destination-address 192.168.2.1/24;
} then {
count redirect_one_two;
redirect 192.168.2.1;
}
}
entry forward-2-to-1 {
if {
source-address 192.168.2.1/24;
destination-address 192.168.1.1/24;
} then {
count redirect_two_one;
redirect 192.168.1.1/24;
}
}
entry forward-1-ext {
if {
source-address 192.168.1.1/24;
} then {
redirect 192.168.2.254;
}
}
entry forward-2-ext {
if {
source-address 192.168.2.1/24;
} then {
redirect 192.168.2.254;
}
} (from Doug_Jaquays)
0 Kudos
5 REPLIES 5

EtherNation_Use
Contributor II

‎01-07-2014 09:57 PM

Create Date: Dec 2 2012 12:55AM

And just to make sure it's covered

Image Selected: primary
Image Booted: primary
Primary ver: 15.1.2.12
patch1-2
System Type: X450e-48p

(from Doug_Jaquays)
0 Kudos
GTM-P2G8KFN