allow pc to communicate only with 1 pc in subnet

[mercy_angel]

I am having one acl list

Code Select Expand

 
    12 permit ip host 192.168.50.13 host 192.168.50.112
    13 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255
    30 permit ip any any (64196664 matches)
    40 permit icmp any any


I want that PC with IP 192.168.50.13 can communicate ONLY with 50.112, any other communication between subnets are now allowd. But this is not working. Why?

[config t]

We need some context on where the ACL is applied and what direction such as inbound or outbound.

As it stands the traffic you are generating doesn't match on the ACL until your explicit allow (permit ip any any), which shouldn't be in there at all.

[mercy_angel]

its inbound acl.
Why its not affected? If i changr deny yo any, it lose internet connection, so why dont work deny to subnet.

[config t]

Yes but inbound where. On a physical interface? On a VLAN SVI? What does the network look like, and most importantly, articulate your requirement.

Do you see now that you have provided additional information that would be very helpful from the beginning. At first you said you only want the PC to talk to one other PC. Now it is known you also need an internet connection.

We need to know the context of your request to provide assistance.

[mercy_angel]

sorry for missing info.
So we have L3 sw which holds vlans.
Behind that are l2 in the floors of building.
Now, i want one of thr pcs sees only one pc from its subnet and ofc have internet.
i put that extended acl group in vlan interface.

[icecream-guy]

Think about it, you have 2 devices on the same network that you want to block communications at layer 3 IP layer.
how do two hosts on the same network communicate with each other?


Why would this never work "192.168.50.13 can communicate ONLY with 50.112"?

[config t]

^^^^ What ristau said ^^^^

You are communicating on a broadcast domain, Layer 2. Look into VACLs.

[icecream-guy]

^^^^ What ristau said ^^^^

You are communicating on a broadcast domain, Layer 2. Look into VACLs.

yeah, I wasn't trying to spoon feed mercy_angel.

[mercy_angel]

so i need to create another ACL where i would say

Code Select Expand

permit host 192.168.50.13 host 192.168.50.112

and then that acl use to block with vacl

Code Select Expand

vlan access-map DROP_2_SERVER 10
match ip address THAT_ACL
action drop

Code Select Expand

vlan access-map DROP_2_SERVER 10
action forward


than

Code Select Expand

vlan filter DROP_2_SERVER vlan-list 50

If thats correct, my q is what to do with acl that is already there (i suppose i gonna delete rules that i wanted to add for blocking  traffic and leave just permit and icmp any any)

Code Select Expand

30 permit ip any any (64196664 matches)
    40 permit icmp any any

its added into vlan interface group IN. Should I delete this group from VLAN interface or to leave it?

[config t]

Now is the time that you TEST and VALIDATE your solution.

yeah, I wasn't trying to spoon feed mercy_angel.

[icecream-guy]

Think layer 2,

What happens when the default gateway sends out a layer 2 broadcast "Who has IP 192.168.50.112"
then what happens? does 192.168.50.112 ever hear that broadcast?

unless your default gateway for host 192.168.50.112 is in fact 192.168.50.13
this would be the only time that 192.168.50.112 would answer "I have that IP"
would 192.168.50.13 ever have reason to send out a broadcast asking "Who has IP 192.168.50.112"
when and why?

so I don't think you actually want "192.168.50.13 can communicate ONLY with 50.112"

If there is a host based firewall on 192.168.50.13, that is probably the tool you would use to only allow 192.168.50.112 layer 3 access to the host, not the router.


what is config for THAT_ACL, you neglected to include.

[Dieselboy]

I done this accidentally with an Ubuntu machine. I had the PC set up with IP address like this:

IP: 192.168.21.235
Mask: 255.255.255.255
Gateway: 192.168.21.1

I've no idea how the mask was set to /32. I mean it was me that set it up but either I didnt have coffee that day or I had a copy / paste error I dont know. This machine was the only one in the LAN at the time of setting it up and everything worked ie it had internet access as it could talk to the default gateway. I only knew something was up because I Set up a 2nd machine some time later and one of the devs wanted to do a file copy from machine 1 to machine 2. He requested to me to open up the firewall to allow them to speak. He could access both machines over a VPN connection to the firewall, but not copy between them. I had not configured this restriction in any firewall.

I dont know if it's supposed to work this way or wether this is buggy behaviour that allowed it to work previously but useful information I wanted to share.

With regards to your ACL issue, are you able to set up a lab and simulate the real environment and allow yourself to make changes, create issues and test things to find a working solution?

A simple answer to "it's not working, why?" is that the deny rule is not working simply because it is not being matched. You can verify this with "show access-list":

Code Select Expand

#show access-lists VTY-ACCESS
Standard IP access list VTY-ACCESS
    20 permit 192.168.7.0, wildcard bits 0.0.0.255
    30 permit 192.168.10.0, wildcard bits 0.0.0.255 (2 matches)

[mercy_angel]

Think layer 2,

What happens when the default gateway sends out a layer 2 broadcast "Who has IP 192.168.50.112"
then what happens? does 192.168.50.112 ever hear that broadcast?

unless your default gateway for host 192.168.50.112 is in fact 192.168.50.13
this would be the only time that 192.168.50.112 would answer "I have that IP"
would 192.168.50.13 ever have reason to send out a broadcast asking "Who has IP 192.168.50.112"
when and why?

so I don't think you actually want "192.168.50.13 can communicate ONLY with 50.112"

If there is a host based firewall on 192.168.50.13, that is probably the tool you would use to only allow 192.168.50.112 layer 3 access to the host, not the router.


what is config for THAT_ACL, you neglected to include.

so whats idea behind all.
I need to put one of the pcs on subnet 50,thats pc 192.168.50.13 to have faster access with 50.112 (for a couplr of our reasons).
Because that subnet is important i dont want that that host goes through this subnet, only for 50.112.
So only L2.
As i know, when we use switches, because of one broadcast domain, everyone "hear" everything.
We are having firewall itself where we created dhcps and core switches use that firewall as a helper address.
Its fortigate.
I tried to control this on it, but no success, nothing happend.

[deanwebb]

If the gateway for the PC is 192.168.50.1, that ACL blocks communications to the gateway. The ACL also blocks traffic to the broadcast address, 192.168.50.255.

If traffic to the first hop to the rest of the network is blocked, then traffic to the rest of the network is blocked. It's like saying you can fly anywhere in the world, but you can't walk out the door.

[mercy_angel]

If the gateway for the PC is 192.168.50.1, that ACL blocks communications to the gateway. The ACL also blocks traffic to the broadcast address, 192.168.50.255.

If traffic to the first hop to the rest of the network is blocked, then traffic to the rest of the network is blocked. It's like saying you can fly anywhere in the world, but you can't walk out the door.

understand, but dont figure out how to block traffic to all pc in subnets leave only 1 that can reach.
.1 is gateways cause it is vlan IP address.
.2 is HSRP IP for each vlan.

So dhcp is created on firewall - than vlans are on core L3, and from L3 its to floor switches L2 smart - and those floor switches is connected to each office on the floor with one or more l2 notsmart switches.

That is a setup in general.