Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
5
Replies

ACL Help

jwalton2
Level 1
Level 1

‎09-25-2018 08:26 AM - edited ‎03-08-2019 04:14 PM

Hi All,

 

Pretty new to networking so please bear with me.

 

We have a project that requires that all the devices to have access to the internet, but not the local network.

 

I have setup an extended ACL for this which seems to work fine:

 

10 deny ip 10.2.61.0 0.0.0.255 10.0.0.0 0.255.255.255 (363 matches)
20 permit ip any any (322 matches)

 

But now we also want a local license server on this VLAN so they can use an application, I have put the server on the VLAN and given it the IP of 10.2.61.100

 

Am I right in thinking I need to add a line below line 10 with the following:

8 permit ip 10.2.61.0 0.0.0.255 host 10.2.61.100

 

That seems correct to me but doesn't seem to work. Any help appreciated.

 

Joe

 

Labels:
0 Helpful
5 Replies 5

ADP_89
Level 1
Level 1

‎09-25-2018 08:45 AM

Hello Joe,

 

Where did you apply the ACL? Is it on the router(where the defaul gateway IP resides) or on any switch port connected to the servers?

 

Cheers,

ADP

0 Helpful

jwalton2
Level 1
Level 1
In response to ADP_89

‎09-25-2018 08:49 AM

ACL is applied to the router where the default gateway resides. 

 

Vlan 61 is setup on the router and the switch that the devices are connected to.

0 Helpful

ADP_89
Level 1
Level 1
In response to jwalton2

‎09-25-2018 08:56 AM

So I am not sure how you achieved to block intra-subnet communications as traffic should be inspected by that ACL only when it goes from inside to outside.

If you want to make sure that clients are not communicating between them but they must be able to talk to some other devices connected to the switch (like the router or this licensing server) you should really look for other technologies like private VLANs, VACL(Vlan ACL) or "switchport protected"

Any of the above will work, but depending on the switch and the topology some might not be available.

 

HTH,

ADP

0 Helpful

jwalton2
Level 1
Level 1
In response to ADP_89

‎09-25-2018 08:57 AM

Thank you both I will look into VACL then.
0 Helpful

Georg Pauwen
VIP
VIP

‎09-25-2018 08:47 AM

Hello,

 

--> 8 permit ip 10.2.61.0 0.0.0.255 host 10.2.61.100

 

this applies to traffic from withing the same VLAN. What are you trying to achieve ? Typically, in an layer 3 ACL, source and destination should be in different subnets, otherwise, if you want to control traffic within the same subnet (VLAN), you would use a VLAN ACL. Can you clarify ?

0 Helpful
Customers Also Viewed These Support Documents