allow pc to communicate only with 1 pc in subnet

deanwebb · May 31, 2021, 08:26:16 AM

Browsing starts at .13 --> goes out to Internet
File access operation starts at .13 --> goes out to other host in same subnet

Outbound traffic.

mercy_angel · May 31, 2021, 02:15:22 PM

Quote from: deanwebb on May 31, 2021, 08:26:16 AM
Browsing starts at .13 --> goes out to Internet
File access operation starts at .13 --> goes out to other host in same subnet

Outbound traffic.

so just to change in interface vlan from

Quoteip access-group FILTER_VLAN_50 in

to

Code Select

[code] ip access-group FILTER_VLAN_50 out[/code]

deanwebb · June 01, 2021, 10:20:52 AM

Add that out line, that way the ACL applies to inbound and outbound traffic.

mercy_angel · June 05, 2021, 01:04:47 PM

so like this:
description IT
ip address 192.168.50.2 255.255.255.0
ip access-group FILTER_VLAN_50 in
ip access-group FILTER_VLAN_50 out
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt

update:

i tried this config and again i have access to all pcs in my subnet (not just to 50.32)

deanwebb · June 07, 2021, 09:37:14 AM

Are those hosts in the 192.168.50.0/24 network all on the same switch as the one you're trying to control? If so, then you may need to have it in a separate VLAN.

mercy_angel · June 07, 2021, 04:25:32 PM

Quote from: deanwebb on June 07, 2021, 09:37:14 AM
Are those hosts in the 192.168.50.0/24 network all on the same switch as the one you're trying to control? If so, then you may need to have it in a separate VLAN.

yes they are, its a part of It department (where a lot ipsec tunnels is created etc), its difficult now to make subnet for them, cause all rules are made for that subnet.
There is no other way to do it?

deanwebb · June 07, 2021, 05:10:33 PM

If we've tried applying the ACL on both in and out and it still gets through, then we need to look at that. Normally, I apply an ACL on the endpoint IP address and it works just fine at blocking all traffic, even to neighbors on the switch. Something may be up with the switch you're using, I don't know.

Dieselboy · June 07, 2021, 08:46:22 PM

In my previous experience setting up VLAN ACL on 3560 and 3750 switches back in around 2010, the problem I had was that the ACL is applied on the VLAN SVI but the switch doesnt always use the SVI. My memory is vague on this but doesnt the switch use the CEF table to route which bypasses the normal layer 3 routing mechanism? So basically the switch is routing at layer 2 rather than traditional L3 router type. After that, I didnt try doing vlan acls any more.

deanwebb · June 08, 2021, 12:21:03 PM

Quote from: Dieselboy on June 07, 2021, 08:46:22 PM
In my previous experience setting up VLAN ACL on 3560 and 3750 switches back in around 2010, the problem I had was that the ACL is applied on the VLAN SVI but the switch doesnt always use the SVI. My memory is vague on this but doesnt the switch use the CEF table to route which bypasses the normal layer 3 routing mechanism? So basically the switch is routing at layer 2 rather than traditional L3 router type. After that, I didnt try doing vlan acls any more.

Maybe this should be a port or endpoint ACL instead of a VLAN ACL?

Dieselboy · June 08, 2021, 09:19:57 PM

Yes I Think that would then work as expected. But if the OP has a single L3 switch then some confusing config and cabling would need to be applied to get the VLAN routing out of a routed port. Should be labbed up.

mercy_angel · June 09, 2021, 06:36:26 AM

whole setup is:

VLAN are created on FIREWALL which is connected to L3 CORE and that L3 is directlly connected to L2 Switches Which just holds VLAN to that floor. And from that L2 is going one/two cables to each offices and those offices are on the "stupid" switches.

deanwebb · June 09, 2021, 02:39:47 PM

But... if the ACL is on the VLAN, can it properly restrict traffic that starts and ends in that VLAN - if the traffic is not routed and is handled via the CEF table, then it's looking like "no".

Put the ACL on the port where the device connects. Then it will work, trust me on that one. A large part of my job depends on port and endpoint ACLs working to block traffic.

mercy_angel · June 09, 2021, 03:31:41 PM

So you think like this

Code Select

interface GigabitEthernet1/0/8
 description Rack_IT
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,5,22,40-44,50,90,100
 switchport mode trunk
 switchport nonegotiate
[b] ip access-group FILTER_VLAN_50 in - PUT HERE
ip access-group FILTER_VLAN_50 OUT - PUT HERE[/b]
end


CORE_SW_1#show run int
CORE_SW_1#show run int vlan 50
Building configuration...

Current configuration : 218 bytes
!
interface Vlan50
 description IT
 ip address 192.168.50.2 255.255.255.0
[b] ip access-group FILTER_VLAN_50 in - DELETE FROM HERE
ip access-group FILTER_VLAN_50 OUT - DELETE FROM HERE[/b]
 ip helper-address 172.16.251.49
 standby 50 ip 192.168.50.1
 standby 50 timers 2 6
 standby 50 preempt
end

but only for restricting traffic into subnet, cause when I want to block traffic to other subnet, this acl on VLAN works

mercy_angel · June 09, 2021, 03:50:59 PM

I tried to add IN

Code Select


interface GigabitEthernet1/0/8
 description RackIT
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,5,22,40-44,50,90,100
 switchport mode trunk
 switchport nonegotiate
 ip access-group FILTER_VLAN_50 in
end

I cant add for OUT

QuoteCORE_SW_1(config-if)#ip access-group FILTER_VLAN_50 out
^
% Invalid input detected at '^' marker.

but still i cant access all PCs into my subnet...

deanwebb · June 10, 2021, 11:18:32 AM

Why are you putting an ACL on a trunk port? The ACL should go on the port where the device connects to the network.