I am having one acl list
12 permit ip host 192.168.50.13 host 192.168.50.112
13 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255
30 permit ip any any (64196664 matches)
40 permit icmp any any
I want that PC with IP 192.168.50.13 can communicate ONLY with 50.112, any other communication between subnets are now allowd. But this is not working. Why?
We need some context on where the ACL is applied and what direction such as inbound or outbound.
As it stands the traffic you are generating doesn't match on the ACL until your explicit allow (permit ip any any), which shouldn't be in there at all.
its inbound acl.
Why its not affected? If i changr deny yo any, it lose internet connection, so why dont work deny to subnet.
Yes but inbound where. On a physical interface? On a VLAN SVI? What does the network look like, and most importantly, articulate your requirement.
Do you see now that you have provided additional information that would be very helpful from the beginning. At first you said you only want the PC to talk to one other PC. Now it is known you also need an internet connection.
We need to know the context of your request to provide assistance.
sorry for missing info.
So we have L3 sw which holds vlans.
Behind that are l2 in the floors of building.
Now, i want one of thr pcs sees only one pc from its subnet and ofc have internet.
i put that extended acl group in vlan interface.
Think about it, you have 2 devices on the same network that you want to block communications at layer 3 IP layer.
how do two hosts on the same network communicate with each other?
Why would this never work "192.168.50.13 can communicate ONLY with 50.112"?
^^^^ What ristau said ^^^^
You are communicating on a broadcast domain, Layer 2. Look into VACLs.
Quote from: config t on May 10, 2021, 02:48:29 PM
^^^^ What ristau said ^^^^
You are communicating on a broadcast domain, Layer 2. Look into VACLs.
yeah, I wasn't trying to spoon feed mercy_angel.
so i need to create another ACL where i would say
permit host 192.168.50.13 host 192.168.50.112
and then that acl use to block with vacl
vlan access-map DROP_2_SERVER 10
match ip address THAT_ACL
action drop
vlan access-map DROP_2_SERVER 10
action forward
than
vlan filter DROP_2_SERVER vlan-list 50
If thats correct, my q is what to do with acl that is already there (i suppose i gonna delete rules that i wanted to add for blocking traffic and leave just permit and icmp any any)
30 permit ip any any (64196664 matches)
40 permit icmp any any
its added into vlan interface group IN. Should I delete this group from VLAN interface or to leave it?
Now is the time that you TEST and VALIDATE your solution.
Quote from: ristau5741 on May 10, 2021, 02:54:06 PM
yeah, I wasn't trying to spoon feed mercy_angel.
:XD:
Think layer 2,
What happens when the default gateway sends out a layer 2 broadcast "Who has IP 192.168.50.112"
then what happens? does 192.168.50.112 ever hear that broadcast?
unless your default gateway for host 192.168.50.112 is in fact 192.168.50.13
this would be the only time that 192.168.50.112 would answer "I have that IP"
would 192.168.50.13 ever have reason to send out a broadcast asking "Who has IP 192.168.50.112"
when and why?
so I don't think you actually want "192.168.50.13 can communicate ONLY with 50.112"
If there is a host based firewall on 192.168.50.13, that is probably the tool you would use to only allow 192.168.50.112 layer 3 access to the host, not the router.
what is config for THAT_ACL, you neglected to include.
I done this accidentally with an Ubuntu machine. I had the PC set up with IP address like this:
IP: 192.168.21.235
Mask: 255.255.255.255
Gateway: 192.168.21.1
I've no idea how the mask was set to /32. I mean it was me that set it up but either I didnt have coffee that day or I had a copy / paste error I dont know. This machine was the only one in the LAN at the time of setting it up and everything worked ie it had internet access as it could talk to the default gateway. I only knew something was up because I Set up a 2nd machine some time later and one of the devs wanted to do a file copy from machine 1 to machine 2. He requested to me to open up the firewall to allow them to speak. He could access both machines over a VPN connection to the firewall, but not copy between them. I had not configured this restriction in any firewall.
I dont know if it's supposed to work this way or wether this is buggy behaviour that allowed it to work previously but useful information I wanted to share.
With regards to your ACL issue, are you able to set up a lab and simulate the real environment and allow yourself to make changes, create issues and test things to find a working solution?
A simple answer to "it's not working, why?" is that the deny rule is not working simply because it is not being matched. You can verify this with "show access-list":
#show access-lists VTY-ACCESS
Standard IP access list VTY-ACCESS
20 permit 192.168.7.0, wildcard bits 0.0.0.255
30 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)
Quote from: ristau5741 on May 10, 2021, 06:26:35 PM
Think layer 2,
What happens when the default gateway sends out a layer 2 broadcast "Who has IP 192.168.50.112"
then what happens? does 192.168.50.112 ever hear that broadcast?
unless your default gateway for host 192.168.50.112 is in fact 192.168.50.13
this would be the only time that 192.168.50.112 would answer "I have that IP"
would 192.168.50.13 ever have reason to send out a broadcast asking "Who has IP 192.168.50.112"
when and why?
so I don't think you actually want "192.168.50.13 can communicate ONLY with 50.112"
If there is a host based firewall on 192.168.50.13, that is probably the tool you would use to only allow 192.168.50.112 layer 3 access to the host, not the router.
what is config for THAT_ACL, you neglected to include.
so whats idea behind all.
I need to put one of the pcs on subnet 50,thats pc 192.168.50.13 to have faster access with 50.112 (for a couplr of our reasons).
Because that subnet is important i dont want that that host goes through this subnet, only for 50.112.
So only L2.
As i know, when we use switches, because of one broadcast domain, everyone "hear" everything.
We are having firewall itself where we created dhcps and core switches use that firewall as a helper address.
Its fortigate.
I tried to control this on it, but no success, nothing happend.
If the gateway for the PC is 192.168.50.1, that ACL blocks communications to the gateway. The ACL also blocks traffic to the broadcast address, 192.168.50.255.
If traffic to the first hop to the rest of the network is blocked, then traffic to the rest of the network is blocked. It's like saying you can fly anywhere in the world, but you can't walk out the door.
Quote from: deanwebb on May 11, 2021, 08:39:09 AM
If the gateway for the PC is 192.168.50.1, that ACL blocks communications to the gateway. The ACL also blocks traffic to the broadcast address, 192.168.50.255.
If traffic to the first hop to the rest of the network is blocked, then traffic to the rest of the network is blocked. It's like saying you can fly anywhere in the world, but you can't walk out the door.
understand, but dont figure out how to block traffic to all pc in subnets leave only 1 that can reach.
.1 is gateways cause it is vlan IP address.
.2 is HSRP IP for each vlan.
So dhcp is created on firewall - than vlans are on core L3, and from L3 its to floor switches L2 smart - and those floor switches is connected to each office on the floor with one or more l2 notsmart switches.
That is a setup in general.
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.
@mercy_angel - Check out this link https://www.cbtnuggets.com/blog/certifications/cisco/networking-basics-how-to-configure-standard-acls-on-cisco-routers
This goes through the basics of ACLs. The instructors name is Jeremy Ciora. He is really good. I purchased his training videos to allow me to complete TWO Cisco CCNP certifications. I highly recommend him.
Note: Although the training is for standard ACLs the concepts are the same. The only difference is the additional checking of source network and source ports.
Note2: I also recommend signing up to CBT nuggets if you're just starting out. You can quickly ramp up with their training. Your company will probably pay the subscription for you if you ask them nicely :)
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.
how acl block traffic to vlan gateway, i just deny host to host
Quote from: mercy_angel on May 12, 2021, 03:48:56 AM
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.
how acl block traffic to vlan gateway, i just deny host to host
The gateway is a host in that VLAN that is blocked with the deny rule.
still cant make this work
Quote from: mercy_angel on May 17, 2021, 02:09:22 AM
still cant make this work
No, and it will never work with the rules that you have.
May I suggest having the endpoint with traffic that needs control placed into a separate VLAN? Then the ACL can be written to permit to the one host, deny to all other hosts in that VLAN, and then permit all other traffic.
still think a host-based firewall solution would be the easiest.
Quote from: ristau5741 on May 18, 2021, 11:14:39 AM
still think a host-based firewall solution would be the easiest.
I do agree with this. But I feel that if the OP wont learn, even when thrusting the learning materials in front of them - then outsourcing or procuring a seasoned network infrastructure engineer will be the easiest way forward.
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.
i tried like this
9 permit ip host 192.168.50.13 host 192.168.50.1
10 permit ip host 192.168.50.13 host 192.168.50.112
11 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255
30 permit ip any any (69060564 matches)
40 permit icmp any anybut also didnt work, i can ping from host 13 all pc inside 13 subnet
Ping, but can you access TCP ports in the subnet?
Sure, i can vnc,rdp to that PC
Then I don't think you applied the ACL correctly.
Quote from: deanwebb on May 27, 2021, 11:01:32 AM
Then I don't think you applied the ACL correctly.
how
Extended IP access list FILTER_VLAN_50
9 permit ip host 192.168.50.13 host 192.168.50.1
10 permit ip host 192.168.50.13 host 192.168.50.112
11 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255 (565 matches)
30 permit ip any any (69561463 matches)
40 permit icmp any any
description IT
ip address 192.168.50.2 255.255.255.0
ip access-group FILTER_VLAN_50 in
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt
That's applied on inbound traffic only. When traffic starts on .13, then that's outbound traffic.
Quote from: deanwebb on May 28, 2021, 08:23:00 AM
That's applied on inbound traffic only. When traffic starts on .13, then that's outbound traffic.
How its outbound, its not leaving core sw where acl is applied.
Those subnets first goes to floor smart switches and on L3 core switches are those acls
Browsing starts at .13 --> goes out to Internet
File access operation starts at .13 --> goes out to other host in same subnet
Outbound traffic.
Quote from: deanwebb on May 31, 2021, 08:26:16 AM
Browsing starts at .13 --> goes out to Internet
File access operation starts at .13 --> goes out to other host in same subnet
Outbound traffic.
so just to change in interface vlan from
Quoteip access-group FILTER_VLAN_50 in
to
[code] ip access-group FILTER_VLAN_50 out[/code]
Add that out line, that way the ACL applies to inbound and outbound traffic.
so like this:
description IT
ip address 192.168.50.2 255.255.255.0
ip access-group FILTER_VLAN_50 in
ip access-group FILTER_VLAN_50 out
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt
update:
i tried this config and again i have access to all pcs in my subnet (not just to 50.32)
Are those hosts in the 192.168.50.0/24 network all on the same switch as the one you're trying to control? If so, then you may need to have it in a separate VLAN.
Quote from: deanwebb on June 07, 2021, 09:37:14 AM
Are those hosts in the 192.168.50.0/24 network all on the same switch as the one you're trying to control? If so, then you may need to have it in a separate VLAN.
yes they are, its a part of It department (where a lot ipsec tunnels is created etc), its difficult now to make subnet for them, cause all rules are made for that subnet.
There is no other way to do it?
If we've tried applying the ACL on both in and out and it still gets through, then we need to look at that. Normally, I apply an ACL on the endpoint IP address and it works just fine at blocking all traffic, even to neighbors on the switch. Something may be up with the switch you're using, I don't know.
In my previous experience setting up VLAN ACL on 3560 and 3750 switches back in around 2010, the problem I had was that the ACL is applied on the VLAN SVI but the switch doesnt always use the SVI. My memory is vague on this but doesnt the switch use the CEF table to route which bypasses the normal layer 3 routing mechanism? So basically the switch is routing at layer 2 rather than traditional L3 router type. After that, I didnt try doing vlan acls any more.
Quote from: Dieselboy on June 07, 2021, 08:46:22 PM
In my previous experience setting up VLAN ACL on 3560 and 3750 switches back in around 2010, the problem I had was that the ACL is applied on the VLAN SVI but the switch doesnt always use the SVI. My memory is vague on this but doesnt the switch use the CEF table to route which bypasses the normal layer 3 routing mechanism? So basically the switch is routing at layer 2 rather than traditional L3 router type. After that, I didnt try doing vlan acls any more.
Maybe this should be a port or endpoint ACL instead of a VLAN ACL?
Yes I Think that would then work as expected. But if the OP has a single L3 switch then some confusing config and cabling would need to be applied to get the VLAN routing out of a routed port. Should be labbed up.
whole setup is:
VLAN are created on FIREWALL which is connected to L3 CORE and that L3 is directlly connected to L2 Switches Which just holds VLAN to that floor. And from that L2 is going one/two cables to each offices and those offices are on the "stupid" switches.
But... if the ACL is on the VLAN, can it properly restrict traffic that starts and ends in that VLAN - if the traffic is not routed and is handled via the CEF table, then it's looking like "no".
Put the ACL on the port where the device connects. Then it will work, trust me on that one. A large part of my job depends on port and endpoint ACLs working to block traffic.
So you think like this
interface GigabitEthernet1/0/8
description Rack_IT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,5,22,40-44,50,90,100
switchport mode trunk
switchport nonegotiate
[b] ip access-group FILTER_VLAN_50 in - PUT HERE
ip access-group FILTER_VLAN_50 OUT - PUT HERE[/b]
end
CORE_SW_1#show run int
CORE_SW_1#show run int vlan 50
Building configuration...
Current configuration : 218 bytes
!
interface Vlan50
description IT
ip address 192.168.50.2 255.255.255.0
[b] ip access-group FILTER_VLAN_50 in - DELETE FROM HERE
ip access-group FILTER_VLAN_50 OUT - DELETE FROM HERE[/b]
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt
end
but only for restricting traffic into subnet, cause when I want to block traffic to other subnet, this acl on VLAN works
I tried to add IN
interface GigabitEthernet1/0/8
description RackIT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,5,22,40-44,50,90,100
switchport mode trunk
switchport nonegotiate
ip access-group FILTER_VLAN_50 in
end
I cant add for OUT
QuoteCORE_SW_1(config-if)#ip access-group FILTER_VLAN_50 out
^
% Invalid input detected at '^' marker.
but still i cant access all PCs into my subnet...
Why are you putting an ACL on a trunk port? The ACL should go on the port where the device connects to the network.
device is connected to L2 switch, i cant apply acl there, and this VLAN is trunked through L3
That may be so, but we don't generally put ACLs on trunk ports.
What is the L2 switch and what is it licensed for?
Quote from: deanwebb on June 14, 2021, 01:57:25 PM
That may be so, but we don't generally put ACLs on trunk ports.
What is the L2 switch and what is it licensed for?
its sg220 cisco and its used for the wall jacks across offices.
We have several ones through the building.
so firewall is creating dhcp, cisco 3750 is holding vlans and ips on it which helper ip is firewall, and from there goes to access switches (sg220).
OK, then it's clear. If you want an ACL to work, it needs to be on a VLAN and the endpoint you want to control needs to be in a separate VLAN from the devices you want to control access to. Call it the "control VLAN" or whatever you want, but it needs to be separate from the other endpoints. If that was a Catalyst switch on the access layer, you'd have ACLs on the port. With the SG series, you secure it with a different VLAN.
Quote from: deanwebb on June 15, 2021, 02:40:30 PM
OK, then it's clear. If you want an ACL to work, it needs to be on a VLAN and the endpoint you want to control needs to be in a separate VLAN from the devices you want to control access to. Call it the "control VLAN" or whatever you want, but it needs to be separate from the other endpoints. If that was a Catalyst switch on the access layer, you'd have ACLs on the port. With the SG series, you secure it with a different VLAN.
so if i have subnet 192.168.50.0/24 for my devices, i must make 2 vlans with a smaller subnet
vlan50_Other:192.168.50.0/25
vlan50_ITOnly:192.168.50.128/25
you thought like this?
That's one way of doing it.
Just one more q. Whats about communication betweens 2 VLANs
Extended IP access list FILTER_VLAN_25
10 permit ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
30 permit ip any any (43833968 matches)
40 permit icmp any any
This VLAN 25 (192.168.25.0/24) can access to VLAN 50. Why?
Its inbound group in VLAN, but why its working access? I want to forbid other VLANs to reach my VLAN50
Well, line 20 is working - you have matches on it - so the question is if you have it applied in both directions, or just one?
You think on vlan50?Or you think of access grouo out, cause i have only inbound
When i put on vlan 50, i cant access them, but idea is that only vlan50 see all others
Put the restrictions on the restricted VLAN, in and out.
Quote from: deanwebb on June 18, 2021, 05:26:00 PM
Put the restrictions on the restricted VLAN, in and out.
if i undestand good, interface vlan must be configured like:
ip access-group FILTER_VLAN_25 in
ip access-group FILTER_VLAN_25 out
Extended IP access list FILTER_VLAN_25
10 permit ip any 192.168.2.0 0.0.0.255
20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
30 permit ip any any (43833968 matches)
40 permit icmp any anyIdea is that only vlan 50 (192.168.50.0/24) see all those other VLANS, but not vice versa
Update:
When i put this ACL on VLAN25 in and out, i cant access to it from VLAN50.
Honestly, I'd only have the restrictions on the VLAN in question - line 20 should be made to be specific to the /25 we are targeting. I'd have all permit statements for allowed traffic and then a deny all at the bottom for the rest.
yeah but making those 2 25s are last option, is there no other way? :'(
Quote from: mercy_angel on July 03, 2021, 04:44:34 PM
yeah but making those 2 25s are last option, is there no other way? :'(
host based firewall.