static ACL question - block traffic vlan1 to vlan2 with exceptions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:51 PM
Create Date: Jul 24 2013 3:10PM
I have 2 vlans with both VRRP enabled and share the default gateway (firewall).
VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
VLAN2 - no restrictions to VLAN1
policy:
entry VLAN1-to-VLAN2-GW {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/24 ;
} then {
permit ;
}
}
entry VLAN1-to-VLAN2-DNS {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/24 ;
protocol tcp ;
source-port 53;
protocol udp ;
source-port 53;
} then {
permit ;
}
}
entry VLAN1-to-VLAN2-OTHER {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.0/24 ;
} then {
deny ;
}
}
Policy check was successfull.
I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.
Can you please check if I oversee something? XOS ACL are pretty new for me.
(from LNU)
I have 2 vlans with both VRRP enabled and share the default gateway (firewall).
VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
VLAN2 - no restrictions to VLAN1
policy:
entry VLAN1-to-VLAN2-GW {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/24 ;
} then {
permit ;
}
}
entry VLAN1-to-VLAN2-DNS {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/24 ;
protocol tcp ;
source-port 53;
protocol udp ;
source-port 53;
} then {
permit ;
}
}
entry VLAN1-to-VLAN2-OTHER {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.0/24 ;
} then {
deny ;
}
}
Policy check was successfull.
I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.
Can you please check if I oversee something? XOS ACL are pretty new for me.
(from LNU)
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-04-2014 01:47 PM
Try this part:
...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}
I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.
In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.
I'll start a thread on that...
...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}
I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.
In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.
I'll start a thread on that...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-04-2014 01:47 PM
User had an additional question. Please reference the new topic here: I have multiple VLANs where I want to allow routing all VLANs to/from one particu...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:51 PM
Create Date: Jul 26 2013 11:14AM
thanks, but its not working.
If permitting matches, everything is permitted.
If deny all other and permitting matches, everything is denied.
(from LNU)
thanks, but its not working.
If permitting matches, everything is permitted.
If deny all other and permitting matches, everything is denied.
(from LNU)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:51 PM
Create Date: Jul 25 2013 12:05PM
You could try something like this:
entry VLAN1-to-VLAN2-GW {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/32 ;
}
then {
permit ;
count VL1-VL2-GW
}
}
entry VLAN1-to-VLAN2-DNS {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/32 ;
source-port 53;
}
then {
permit ;
count VL1-VL2-DNS
}
}
entry VLAN2 {
if match all {
source-address 10.99.36.0/24 ;
}
then {
permit ;
count VL2
}
}
entry EverythingElse {
if match all {
}
then {
deny ;
count Deny;
}
}
With "show access-list counter" you can see packets hitting specific rule.
Configure acl on ingress port (where your laptop is connected).
(from Marjan_Rancic)
You could try something like this:
entry VLAN1-to-VLAN2-GW {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/32 ;
}
then {
permit ;
count VL1-VL2-GW
}
}
entry VLAN1-to-VLAN2-DNS {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/32 ;
source-port 53;
}
then {
permit ;
count VL1-VL2-DNS
}
}
entry VLAN2 {
if match all {
source-address 10.99.36.0/24 ;
}
then {
permit ;
count VL2
}
}
entry EverythingElse {
if match all {
}
then {
deny ;
count Deny;
}
}
With "show access-list counter" you can see packets hitting specific rule.
Configure acl on ingress port (where your laptop is connected).
(from Marjan_Rancic)
