Idea is that only one subnet sees and control all other subnets in HQ. I found some configuration for this:
So it was created vlan 10 which access list is
10 permit ip any any
20 permit icmp any any
and for vlan 20 (all vlans are the same in terms of access list)
10 deny ip any 192.168.0.0 0.0.128.255
20 permit ip any any
30 permit icmp any any
So what is that wildcard 0.0.128.255.
That vlan20 still can reach vlan 10 but it shouldnt. VLAN10 is it department, only that vlan should see all vlans, but that vlans cant see IT VLAN.
Where is mistake?
I tried to change first rule in vlan20 with
10 deny ip any 192.168.0.0 0.0.255.255
but than vlan 10 which is IT cant see VLAN20
So, to know what exactly is going on, we would need to know the IP range of VLAN 10, IP range of VLAN 20, and what gear you have the ACL on.
But on Cisco switches, which I'm guessing you're using, the wildcard is an inverse match for the IP range in the ACL rule.
Sounds like OP is using VLAN ACL (VACL) and they're not straight forward at all. There are other considerations when using VACL. I googled for some info on this and found a youtube vid "Explaining VACL" that may be helpful to the OP: https://www.youtube.com/watch?v=A4Mt1Vgx-fw
I havnt done this for many years. It is easier for me to choose either alternative:
1. use a firewall to route between these VLANs and do the filtering on the firewall instead of VACL
2. use routed ports (physical port) and then traditional ACL on the ingress of the routed port
Quote from: deanwebb on December 20, 2020, 07:42:20 PM
So, to know what exactly is going on, we would need to know the IP range of VLAN 10, IP range of VLAN 20, and what gear you have the ACL on.
But on Cisco switches, which I'm guessing you're using, the wildcard is an inverse match for the IP range in the ACL rule.
why thats important? its two /24 masks.
It can be any for this purposes. VLAN 10 is 192.168.10.0/24 and VLAN 20 is 192.168.20.0/24
But its strange how i found that wildcard in acl, and cant figure out what is forbiden and why vlan 20 can access vlan 10...
The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.
Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).
Quote from: Dieselboy on December 23, 2020, 12:01:17 AM
The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.
Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).
Or can you help me, how to get my access list then, because when i put deny 192.168.0.0 0.0.255.255 than the VLAN 10 which must see all subnets also cannot see VLAN20 even if it have permit any any..
This is where we need the IP ranges of the VLANs in question. Once we have those, we can say with accuracy what impact that ACL is having on their traffic.
Quote from: mercy_angel on December 23, 2020, 03:27:58 PM
Quote from: Dieselboy on December 23, 2020, 12:01:17 AM
The wildcard mask looks like a typo. A 17 bit wildcard mask is `0.0.127.255`.
Maybe your office or "site" has a number of /24s which can be described as one larger subnet like a /17. A /17 would give you subnets from 192.168.0.0/24 to 192.168.127.0/24 (or you could say 128 /24's).
Or can you help me, how to get my access list then, because when i put deny 192.168.0.0 0.0.255.255 than the VLAN 10 which must see all subnets also cannot see VLAN20 even if it have permit any any..
Please take a look at the video I posted, it should explain VACLs. The VACLs (VLAN ACLs) are not straight-forward like ACLs.
Quote from: deanwebb on December 24, 2020, 07:42:12 AM
This is where we need the IP ranges of the VLANs in question. Once we have those, we can say with accuracy what impact that ACL is having on their traffic.
vlan 10 is 192.168.10.0/24
this vlan should see 192.168.0.0/16
vlan 20 is 192.168.20.0/24 and this vlan and all the others(except vlan10 because vlan10 is IT sector) should see only vlan2 192.168.2.0/24 and thats it. No other vlan allowed.
VLAN 20 is in the same /16 as VLAN 10, so the VACL that permits to the /16 is going to permit to VLAN 10. Either tighten up the VACL to maybe just the /24, or put it in a different /16, like 192.168.128.0/24.
Quote from: deanwebb on January 05, 2021, 11:24:00 AM
VLAN 20 is in the same /16 as VLAN 10, so the VACL that permits to the /16 is going to permit to VLAN 10. Either tighten up the VACL to maybe just the /24, or put it in a different /16, like 192.168.128.0/24.
if I dont put
ip access-group SOME_ACL_NAME in in VLAN100 (10.122.0.0/22), and on VLAN200(10.122.13.0/24) i put
ip access-group LAN-FILTER inand that access list is:
Extended IP access list LAN-FILTER
deny ip any 10.122.0.0 0.0.31.255
deny icmp any 10.122.0.0 0.0.31.255
permit ip any any
permit icmp any any
why I from vlan10 cant ping any other vlans from 10.122.0.0/16??
So in general, if i dont put any acl rule on one subnet it should see explicity all others?
Those ACL rules match on a /12 range.
And yes, by default, if there is no ACL, all traffic is permitted.
Quote from: deanwebb on January 07, 2021, 09:47:36 AM
Those ACL rules match on a /12 range.
And yes, by default, if there is no ACL, all traffic is permitted.
why then i can't ping it?
if i have deny from other vlans, why IT where it hasnt any acls.
You can't ping it because your mask is too big. Try using 10.122.13.0 0.255.255.255 on the deny statements. Then it will only block traffic to VLAN 200.
Quote from: deanwebb on January 08, 2021, 09:37:35 PM
You can't ping it because your mask is too big. Try using 10.122.13.0 0.255.255.255 on the deny statements. Then it will only block traffic to VLAN 200.
vlan 100 is IT deparmtent. This vlan MUST see all vlans. And vlan 200 is some office, and there is a 10,15 more vlans, so it will be same acl rules for them.
Those office vlans must not see any vlans beside their own. Problem is that i dont have ping to that office pcs..
Couple things here to comment on.
1. Whatever VLAN needs restrictions, gets the ACL. No restrictions, no ACL.
2. ICMP must be permitted in both directions. Otherwise, pings will fail. It can be the same on bidirectional UDP conversations.
3. You can also get the same effects with routing statements that permit some conversations, but which send traffic that is forbidden to a null route.
4. Use a firewall as a router on a stick for better, more granular control of traffic.
Quote from: deanwebb on January 10, 2021, 10:12:57 AM
Couple things here to comment on.
2. ICMP must be permitted in both directions. Otherwise, pings will fail. It can be the same on bidirectional UDP conversations.
We want to be restrictive on the ICMP we allow, some is bad, I might suggest to only allow icmp
echo
echo reply
unreachable
traceroute
only on trusted interfaces, blocked on untrusted interfaces