allow pc to communicate only with 1 pc in subnet

[mercy_angel]

device is connected to L2 switch, i cant apply acl there, and this VLAN is trunked through L3

[deanwebb]

That may be so, but we don't generally put ACLs on trunk ports.

What is the L2 switch and what is it licensed for?

[mercy_angel]

That may be so, but we don't generally put ACLs on trunk ports.

What is the L2 switch and what is it licensed for?

its sg220 cisco and its used for the wall jacks across offices.
We have several ones through the building.

so firewall is creating dhcp, cisco 3750 is holding vlans and ips on it which helper ip is firewall, and from there goes to access switches (sg220).

[deanwebb]

OK, then it's clear. If you want an ACL to work, it needs to be on a VLAN and the endpoint you want to control needs to be in a separate VLAN from the devices you want to control access to. Call it the "control VLAN" or whatever you want, but it needs to be separate from the other endpoints. If that was a Catalyst switch on the access layer, you'd have ACLs on the port. With the SG series, you secure it with a different VLAN.

[mercy_angel]

OK, then it's clear. If you want an ACL to work, it needs to be on a VLAN and the endpoint you want to control needs to be in a separate VLAN from the devices you want to control access to. Call it the "control VLAN" or whatever you want, but it needs to be separate from the other endpoints. If that was a Catalyst switch on the access layer, you'd have ACLs on the port. With the SG series, you secure it with a different VLAN.

so if i have subnet 192.168.50.0/24 for my devices, i must make 2 vlans with a smaller subnet

vlan50_Other:192.168.50.0/25
vlan50_ITOnly:192.168.50.128/25

you thought like this?

[deanwebb]

That's one way of doing it.

[mercy_angel]

Just one more q. Whats about communication betweens 2 VLANs

Code Select Expand

Extended IP access list FILTER_VLAN_25
    10 permit ip any 192.168.2.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
    30 permit ip any any (43833968 matches)
    40 permit icmp any any


This VLAN 25 (192.168.25.0/24) can access to VLAN 50. Why?
Its inbound group in VLAN, but why its working access? I want to forbid other VLANs to reach my VLAN50

[deanwebb]

Well, line 20 is working - you have matches on it - so the question is if you have it applied in both directions, or just one?

[mercy_angel]

You think on vlan50?Or you think of access grouo out, cause i have only inbound
When i put on vlan 50, i cant access them, but idea is that only vlan50 see all others

[deanwebb]

Put the restrictions on the restricted VLAN, in and out.

[mercy_angel]

Put the restrictions on the restricted VLAN, in and out.

if i undestand good, interface vlan must be configured like:
ip access-group FILTER_VLAN_25 in
ip access-group FILTER_VLAN_25 out

Code Select Expand

Extended IP access list FILTER_VLAN_25
    10 permit ip any 192.168.2.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
    30 permit ip any any (43833968 matches)
    40 permit icmp any any


Idea is that only vlan 50 (192.168.50.0/24) see all those other VLANS, but not vice versa

Update:
When i put this ACL on VLAN25 in and out, i cant access to it from VLAN50.

[deanwebb]

Honestly, I'd only have the restrictions on the VLAN in question - line 20 should be made to be specific to the /25 we are targeting. I'd have all permit statements for allowed traffic and then a deny all at the bottom for the rest.

[mercy_angel]

yeah but making those 2 25s are last option, is there no other way? 

[icecream-guy]

yeah but making those 2 25s are last option, is there no other way? 

host based firewall.