09-20-2017 08:04 AM - edited 03-08-2019 12:06 PM
I am trying to apply an ACL that functions as a 'blacklist' as oppsed to a 'whitelist'.
The intenet is to block specific IPs from accessing an entire VLAN.
This is a temporary solution until I can place a proper firewall between these segments.
after applying the ACL outbound on the vlan interface I was still able to reach hosts on the vlan from hosts included in the object group defined in the DENY rule of the ACL.
Your help is much appreciated.
Thank you.
here is my config:
object-group ip address BlockedIPsObjGroup
10 192.168.14.226/32
20 192.168.15.28/32
30 192.168.15.29/32
40 192.168.15.40/29
ip access-list BlockIPsACL
10 deny ip addrgroup BlockedIPsObjGroup 10.21.0.0/24
20 permit ip any any
interface Vlan21
no shutdown
mtu 9126
ip access-group BlockIPsACL out
ip address 10.21.0.2/24
vrrp 21
priority 90
authentication text ******
address 10.21.0.1
no shutdown
Solved! Go to Solution.
09-20-2017 11:43 AM
Actually, this is working as intended. I just missed a major piece to the puzzle.
Most of the hosts I was trying to Deny are load balanced servers.
These Servers use the LB as their gateway and are NAT'd on the way out behind their virtual service's IP.
That IP wasn't in the list...
Sometimes things are clearer the next day.
Thanks for the help everyone!
09-20-2017 08:55 AM - edited 09-20-2017 08:58 AM
Hello,
try to change your object group from ip address to network:
object-group network BlockedIPsObjGroup
Actually, try the format below:
object-group network BlockedIPsObjGroup
10 host 192.168.14.226
20 host 192.168.15.28
30 host 192.168.15.29
40 192.168.15.40/29
09-20-2017 09:53 AM
09-20-2017 11:38 AM
Hello,
the reason I suggested to use 'network' as an object group is that the only examples and documentation I could find was with that option. I don't know if you can mix host addresses and network ranges when 'ip address' is specified, but with the 'network' option, it is explicitly stated that this is possible.
I used the document below for reference:
09-20-2017 11:43 AM
Actually, this is working as intended. I just missed a major piece to the puzzle.
Most of the hosts I was trying to Deny are load balanced servers.
These Servers use the LB as their gateway and are NAT'd on the way out behind their virtual service's IP.
That IP wasn't in the list...
Sometimes things are clearer the next day.
Thanks for the help everyone!
09-20-2017 11:46 AM
Hello,
glad that you got it resolved, it is easy to miss a piece of the puzzle sometimes...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide