12-22-2017 11:16 AM - edited 03-08-2019 01:12 PM
Hi,
Thanks in advance!
I am running a Nexus 3k switch. At the moment I havea VLAN 50 with a single ACL on it - Inbound. From my understanding this controlls all inbound connections.
If I want to control outbound connections then I need to create another ACL on the same VLAN but just have it OUTBOUND?
Thanks,
12-22-2017 11:30 AM
Hello,
keep in mind that in/out has nothing to do with the direction of the traffic. In simply means that the access list is applied to the inside of the interface, that is, traffic is allowed/blocked before traversing the interface. Out means just the opposite, traffic already has traversed the interface and is being allowed/blocked there.
Post the ACL you already have, and indicate which traffic you want to allow and which traffic you want to block.
12-22-2017 11:37 AM
ok so
Vlan 5 - 192.168.6.x/24
vlan4 - 192.168.1.x/24
Right now I have (acl status command):
ACL ISOLATED-VM
Vlan5 - ingress (Router ACL)
Active on interfaces:
Vlan5 - ingress (Router ACL)
What I want is to block vlan5 from talking to vlan 4 (but not the other way - to be more specific RDP)
I tried:
IPV4 ACL ISOLATED-VM
10 permit ip 172.60.0.0/24 192.168.6.0/24
20 permit ip 192.168.6.0/24 172.60.0.0/24
21 deny tcp 192.168.6.0/24 192.168.1.0/24 eq 3389
22 deny udp 192.168.6.0/24 192.168.1.0/24 eq 3389
170 permit icmp any any
180 permit ip any any
and i tried this as well:
deny IP 192.168.6.14/32 any
and seems to have no impact.
12-22-2017 12:26 PM
Hello,
try the below:
interface VLAN5
192.168.6.1 255.255.255.0
ip access-group 101 in
interface VLAN4
172.60.0.0 255.255.255.0
access-list 101 permit tcp 172.60.0.0 0.0.0.255 192.168.6.0 0.0.0.255 eq 3389 ack
access-list 101 deny tcp 172.60.0.0 0.0.0.255 192.168.6.0 0.0.0.255 eq 3389 syn
access-list 101 permit ip any any
12-22-2017 01:19 PM
so if i get the right, the outbound traffic
192.168.6.x/24 ->172.60.0.0/16 and my ACL is applied on vlan 5 (192.168.6.x)
my source traffic is 192.168.6.x?
so if i want to block outbound from 192 to 172
access-list 101 permit tcp 192.168.6.0 0.0.0.255 172.60.0.0 0.0.0.255 3389 ack
access-list 101 deny tcp 192.168.6.0 0.0.0.255 172.60.0.0 0.0.0.255eq 3389 syn
access-list 101 permit ip any any
12-22-2017 01:40 PM
Hello,
as per your initial request, the ACL blocks VLAN5 (192.168.6.0/24) from talking to VLAN4 (172.60.0.0/24), but allows traffic from VLAN4 to VLAN5. The access list is applied inbound on the VLAN5 interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide