allow pc to communicate only with 1 pc in subnet

Started by mercy_angel, May 10, 2021, 06:03:48 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions

deanwebb

#15
May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#16
May 11, 2021, 09:15:38 PM
@mercy_angel - Check out this link https://www.cbtnuggets.com/blog/certifications/cisco/networking-basics-how-to-configure-standard-acls-on-cisco-routers

This goes through the basics of ACLs. The instructors name is Jeremy Ciora. He is really good. I purchased his training videos to allow me to complete TWO Cisco CCNP certifications. I highly recommend him.

Note: Although the training is for standard ACLs the concepts are the same. The only difference is the additional checking of source network and source ports.

Note2: I also recommend signing up to CBT nuggets if you're just starting out. You can quickly ramp up with their training. Your company will probably pay the subscription for you if you ask them nicely :)

mercy_angel

#17
May 12, 2021, 03:48:56 AM
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.

how acl block traffic to vlan gateway, i just deny host to host

deanwebb

#18
May 12, 2021, 10:56:57 AM
Quote from: mercy_angel on May 12, 2021, 03:48:56 AM
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.

how acl block traffic to vlan gateway, i just deny host to host

The gateway is a host in that VLAN that is blocked with the deny rule.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mercy_angel

#19
May 17, 2021, 02:09:22 AM
still cant make this work

deanwebb

#20
May 18, 2021, 10:57:23 AM
Quote from: mercy_angel on May 17, 2021, 02:09:22 AM
still cant make this work

No, and it will never work with the rules that you have.

May I suggest having the endpoint with traffic that needs control placed into a separate VLAN? Then the ACL can be written to permit to the one host, deny to all other hosts in that VLAN, and then permit all other traffic.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#21
May 18, 2021, 11:14:39 AM
still think a host-based firewall solution would be the easiest.
:professorcat:

My Moral Fibers have been cut.

Dieselboy

#22
May 18, 2021, 11:34:32 PM
Quote from: ristau5741 on May 18, 2021, 11:14:39 AM
still think a host-based firewall solution would be the easiest.

I do agree with this. But I feel that if the OP wont learn, even when thrusting the learning materials in front of them - then outsourcing or procuring a seasoned network infrastructure engineer will be the easiest way forward.

mercy_angel

#23
May 26, 2021, 03:29:28 PM
Quote from: deanwebb on May 11, 2021, 11:58:30 AM
... and because the ACL blocks traffic to the VLAN gateway, there is no way for traffic to get out. You must have a permit rule for 192.168.50.1 before the deny rule.

i tried like this

Code Select
9 permit ip host 192.168.50.13 host 192.168.50.1
    10 permit ip host 192.168.50.13 host 192.168.50.112
    11 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255
30 permit ip any any (69060564 matches)
    40 permit icmp any any


but also didnt work, i can ping from host 13 all pc inside 13 subnet


deanwebb

#24
May 26, 2021, 07:01:00 PM
Ping, but can you access TCP ports in the subnet?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mercy_angel

#25
May 27, 2021, 01:45:50 AM
Sure, i can vnc,rdp to that PC

deanwebb

#26
May 27, 2021, 11:01:32 AM
Then I don't think you applied the ACL correctly.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mercy_angel

#27
May 28, 2021, 05:18:57 AM
Quote from: deanwebb on May 27, 2021, 11:01:32 AM
Then I don't think you applied the ACL correctly.

how

Code Select
Extended IP access list FILTER_VLAN_50
    9 permit ip host 192.168.50.13 host 192.168.50.1
    10 permit ip host 192.168.50.13 host 192.168.50.112
    11 deny ip host 192.168.50.13 192.168.50.0 0.0.0.255 (565 matches)
    30 permit ip any any (69561463 matches)
    40 permit icmp any any


Code Select
description IT
ip address 192.168.50.2 255.255.255.0
ip access-group FILTER_VLAN_50 in
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt

deanwebb

#28
May 28, 2021, 08:23:00 AM
That's applied on inbound traffic only. When traffic starts on .13, then that's outbound traffic.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mercy_angel

#29
May 31, 2021, 04:29:06 AM
Quote from: deanwebb on May 28, 2021, 08:23:00 AM
That's applied on inbound traffic only. When traffic starts on .13, then that's outbound traffic.

How its outbound, its not leaving core sw where acl is applied.
Those subnets first goes to floor smart switches and on L3 core switches are those acls
Print
Go Up Pages 1 2 3 4
User actions