acl wont work

mercy_angel · March 20, 2021, 02:42:47 AM

i said earlier
VLAN50 (192.168.50.0/24) is IT VLAN and should see all vlans, but any other shouldn't.
VLAN36 (192.168.36.0/24) is example. But when i try to rdp to my pc in VLAN50 i have access.

so i create all seperate extended acl and put INSIDE path into the vlan itself, so its not one acl for all vlans.
i am having a bunch of /24s and all what i need is that my vlan 50 see all vlans and all the others see only 192.168.2.0/24 (some server vlan)

deanwebb · March 21, 2021, 09:31:40 AM

This conversation is going to continue to go around in circles until we get more information. I'm sorry, but you're going to have to give more details. When you say "all vlans", we need to know what the other network ranges are. So far, all we have are the two VLANs, and they seem to be numbered arbitrarily. You say that you have "a bunch of /24s", but we don't have specifics on them.

The specifics matter.

The direction of traffic also matters. When you say the IT VLAN should see all vlans, but any other shouldn't, that raises a problem with bidirectional traffic. Traffic must be allowed to return to the IT VLAN from other VLANs, and any UDP responses (such as responses to SNMP polling) must also be explicitly permitted. If you are blocking traffic from all VLANs to the IT VLAN, then you are also blocking the return traffic that started from the IT VLAN.

VLAN ACLs are *not* stateful, so they will *not* automatically permit response traffic. A stateful firewall in between the IT VLAN and all other VLANs would allow automatic permits on return TCP traffic, but would still need explicit rules to permit UDP and ICMP responses, when needed.

mercy_angel · March 22, 2021, 08:02:26 AM

i just put in all interface vlans this

Code Select

ip access-group FILTER_VLAN_36 in

and vlan is

Code Select


Extended IP access list FILTER_VLAN_36
    10 permit ip any 192.168.2.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.128.255
    30 permit ip any any
    40 permit icmp any any

and now you will not have access to IT department, but IT department cant see this VLAN36 BUT IT SHOULD!
This is problem.

deanwebb · March 22, 2021, 09:04:12 AM

That ACL denies all inbound traffic from 192.168.0.0/17 except from 192.168.2.0/24. Your IT VLAN is 192.168.50.0/24, so it is blocked.

If you add a permit ip any 192.168.50.0 0.0.0.255, (above the deny) the IT VLAN traffic should be allowed.

<admin edit>

mercy_angel · August 11, 2021, 12:13:09 PM

Quote from: deanwebb on March 22, 2021, 09:04:12 AM
That ACL denies all inbound traffic from 192.168.0.0/17 except from 192.168.2.0/24. Your IT VLAN is 192.168.50.0/24, so it is blocked.

If you add a permit ip any 192.168.50.0 0.0.0.255, (above the deny) the IT VLAN traffic should be allowed.

<admin edit>

you are right, but that vlan will see IT VLAN if I add permit 192.168.50.
but idea is that only IT has access to all other vlans, not vice versa

deanwebb · August 11, 2021, 01:41:34 PM

Then what you want is a firewall, that can permit the stateful connections that you describe.

acl wont work

mercy_angel

deanwebb

mercy_angel

deanwebb

mercy_angel

deanwebb