This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

static ACL question - block traffic vlan1 to vlan2 with exceptions

static ACL question - block traffic vlan1 to vlan2 with exceptions

EtherNation_Use
Contributor II

‎01-07-2014 10:51 PM

Create Date: Jul 24 2013 3:10PM

I have 2 vlans with both VRRP enabled and share the default gateway (firewall).

VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
VLAN2 - no restrictions to VLAN1

policy:

entry VLAN1-to-VLAN2-GW {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/24 ;
} then {
permit ;
}
}

entry VLAN1-to-VLAN2-DNS {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/24 ;
protocol tcp ;
source-port 53;
protocol udp ;
source-port 53;

} then {
permit ;
}
}

entry VLAN1-to-VLAN2-OTHER {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.0/24 ;
} then {
deny ;
}
}

Policy check was successfull.
I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.

Can you please check if I oversee something? XOS ACL are pretty new for me.
(from LNU)
0 Kudos
4 REPLIES 4

Frank
Contributor

‎04-04-2014 01:47 PM

Try this part:

...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}

I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I'll start a thread on that...
0 Kudos

Tamera_Rousseau
New Contributor
In response to Frank

‎04-04-2014 01:47 PM

User had an additional question. Please reference the new topic here: I have multiple VLANs where I want to allow routing all VLANs to/from one particu...
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:51 PM

Create Date: Jul 26 2013 11:14AM

thanks, but its not working.

If permitting matches, everything is permitted.
If deny all other and permitting matches, everything is denied.
(from LNU)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:51 PM

Create Date: Jul 25 2013 12:05PM

You could try something like this:

entry VLAN1-to-VLAN2-GW {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/32 ;
}
then {
permit ;
count VL1-VL2-GW
}
}
entry VLAN1-to-VLAN2-DNS {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/32 ;
source-port 53;
}
then {
permit ;
count VL1-VL2-DNS
}
}
entry VLAN2 {
if match all {
source-address 10.99.36.0/24 ;
}
then {
permit ;
count VL2
}
}
entry EverythingElse {
if match all {
}
then {
deny ;
count Deny;
}
}

With "show access-list counter" you can see packets hitting specific rule.
Configure acl on ingress port (where your laptop is connected).
(from Marjan_Rancic)
0 Kudos
GTM-P2G8KFN