02-22-2019 08:12 AM
I want to create an isolated Test vlan (172.16.112.0/24):
Inbound - only allow inbound RDP to any host within the Test vlan
Outbound - deny all so that any hosts in the Test vlan can't contact production
Does the following look correct?
interface Vlan102
description Test Subnet
ip address 172.16.112.1 255.255.255.0
ip access-group FROM-TEST in
ip access-group TO-TEST out
ip access-list extended FROM-TEST
permit tcp 172.16.112.0 0.0.0.255 172.16.0.0 0.0.3.255 log
permit icmp any any log
deny ip any any
ip access-list extended TO-TEST
permit tcp 172.16.0.0 0.0.3.255 172.16.112.0 0.0.0.255 eq 3389
permit icmp any any
deny ip any any
02-22-2019 08:52 AM
02-22-2019 08:56 AM
Thanks for the reply.
Why is To-TEST an outbound and FROM-TEST inbound?
ip access-group FROM-TEST in
ip access-group TO-TEST out
Shouldn't this be the other way around?
02-22-2019 09:28 AM
02-22-2019 11:41 AM - edited 02-23-2019 02:23 AM
Hello
@Joe22 wrote:
I want to create an isolated Test vlan (172.16.112.0/24):
Inbound - only allow inbound RDP to any host within the Test vlan
Outbound - deny all so that any hosts in the Test vlan can't contact production
What is the production vlan subnet? - example 10.10.10.0/24
ip access-list extended test_vlan_acl
remark Isolate test vlan from production
permit tcp 10.10.10.0 0.0.0.255 any eq 3389
deny ip 10.10.10.0 0.0.0.255 any
permit ip any any
ip access-list extended test_vlan_acl_in
remark Isolate test vlan from production
permit tcp any 10.10.10.0 0.0.0.255 eq 3389
deny ip any 10.10.10.0 0.0.0.255
permit ip any any
int vlan 102
ip access-group test_vlan_acl out
ip access-group test_vlan_acl_in in
02-22-2019 11:47 AM - edited 02-22-2019 11:49 AM
172.16.0.0/22 is the production
02-22-2019 03:14 PM
02-23-2019 02:05 AM - edited 02-23-2019 02:08 AM
An acl applied inbound to your test vlan L3 vlan interface (SVI) controls traffic from the test vlan ie. traffic with source IPs of 172.16.112.x.
An acl applied outbound to your test vlan SVI controls traffic with destination IPs of 172.16.112.x.
Your outbound acl should be as you have it in your first post but as Joe notes you are also allowing ICMP.
Your inbound acl should be -
permit tcp 172.16.112.0 0.0.0.255 eq 3389 172.16.0.0 0.0.3.255 log
to allow the return RDP traffic ie. no need to allow all TCP traffic as you don't want that according to your original post, and you also need to allow ICMP if that is what you want.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: