01-20-2013 03:13 PM - edited 03-07-2019 11:11 AM
Hello All!
I'm coming here as I'm not having much luck on the Dell forums and hoping the Cisco community could oblige.
I have a powerconncet 6224 with routing enabled with several VLANs setup.
VLAN Database: 6,8,10,90-254
VLAN 6 is our management vlan
10 is for our core network services (DNS, Domain, Exchange etc)
90-254 are isolated vlans.
What I need to accomplish is to prevent vlans 90-254 from communicating with each other and only allow communication to VLAN 10 and the internet. All internet firewall work will be handled by our Sonicwall.
VLAN 10 is assigned 10.10.10.0/24
VLAN 90-254 each have their own /24 following an IP scheme like so.
VLAN 90 = 10.10.90.0/24
VLAN 91 = 10.10.91.0/24
VLAN 92 = 10.10.92.0/24
etc etc.
What I have below blocks intervlan traffic from VLANs 90-254 and allows traffic to VLAN 10 however there is no other traffic allowed. IE: Internet access.
I'm not familiar with ACL's so I'm not certain of the cure.
The next hop from the switch is to the inside "LAN" interface of our Sonicwall (10.0.0.1)
Current ACL
Rule Number: 1 Action......................................... permit Match All...................................... FALSE Protocol....................................... 255(ip) Source IP Address.............................. any Destination IP Address......................... 10.10.10.0 Destination IP Mask............................ 0.0.0.255 Rule Number: 2 Action......................................... permit Match All...................................... FALSE Protocol....................................... 255(ip) Source IP Address.............................. 10.10.10.0 Source IP Mask................................. 0.0.0.255 Destination IP Address......................... any
Current route output. (omitted the serveral other VLAN routes as they were noted above)
console#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static B - BGP Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S 0.0.0.0/0 [1/0] via 10.10.0.1, vlan 1 C 10.10.0.0/24 [0/1] directly connected, vlan 1
Thanks so much for taking the time to have a look.
01-21-2013 08:42 PM
Can you post the whole config on your switch.....that helps to give you a better solution
you can use something like below.
Rule1 and Rule2- permits traffic to fro from 10.10.10 network
Rule3- Blocks traffic initiating from 10.10.96.0-10.10.127.0 networks to 10.10.0.0 network(all your networks)--
Rule4- Blocks traffic initiatting from 10.10.128.0-10.10.256.0 networks to 10.10.0.0 network (all your networks)
Rule5- Blocks traffic initiating from 10.10.0.0 network to 10.10.96.0-10.10.127.0 networks
Rule6- Blocks traffic initiating from 10.10.0.0 network to10.10.128.0-10.10.256.0 networks
Rule7- Permits traffic from any to any--- This allows your internet traffic
Order of the access-list entries is important since they will be executed from top to bottom
Rule Number: 1
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 10.10.10.0
Destination IP Mask............................ 0.0.0.255
Rule Number: 2
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. 10.10.10.0
Source IP Mask................................. 0.0.0.255
Destination IP Address......................... any
RUle Number-3
Action---Deny
Match all- False
protocol- IP
source IP-- 10.10.96.0
source ip mask-0.0.31.255
dst IP-- 10.10.0.0
dst mask-0.0.255.255
Rule Number-4
Action---Deny
Match all- False
protocol- IP
source IP-- 10.10.0.0
source ip mask-0.0.255.255
dst IP-- 10.10.0.0
dst mask-0.0.127.255
RUle Number-5
Action---Deny
Match all- False
protocol- IP
source IP-- 10.10.0.0
source ip mask-0.0.255.255
dst IP-- 10.10.96.0
dst mask-0.0.31.255
Rule Number-6
Action---Deny
Match all- False
protocol- IP
source IP-- 10.10.128.0
source ip mask-0.0.127.255
dst IP-- 10.10.0.0
dst mask-0.0.255.255
Rule Number- 7
Action---Permit
Match all- False
protocol- IP
source IP-- any
dst IP-- any
Siddhartha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide