Wired Intelligent Edge

 View Only
  • 1.  ACL to deny IP access form Vlan to dest. Host

    Posted Jul 04, 2011 02:20 AM

    Dear,

     

    I've a question to setup ACL on 5412zl with VRRP Core switches.

     

    Requirment :

    Block all windows client form Vlan60 to access Host 192.168.50.126 (which connected to Core1 port c19)

     

    Configuration :

    Core1 (default gateway 10.20.0.1 255.255.255.255)

    Default Vlan 1 - 10.0.0.254

    Vlan 50 - Ip add 192.168.50.254

    Vlan 60 - Ip add 192.168.60.254

    Vlan 70 - Ip add 192.168.70.254

     

    Core2 (default gateway 10.20.0.1 255.255.255.255)

    Default Vlan 1 - 10.0.0.253

    Vlan 50 - Ip add 192.168.50.253

    Vlan 60 - Ip add 192.168.60.253

    Vlan 70 - Ip add 192.168.70.253

     

     

    Test / Result :

    1.) Create a standard ACL "Deny-60"
    ip access-list standard "Deny-60"
    10    deny 192.168.60.0 0.0.0.255

    20    permit any

    exit
     
    Assigned to interface C19
    Result : will case deny all incoming packet (all Vlan) to dest. port.
    Result : after to add line 20 resume normal and allow all incoming packet (all vlan) to dest. port.
     
    2.) Create a extended ACL "Deny-V60"
    ip access-list extended "Deny-V60"
    10    deny ip 192.168.60.0 0.0.0.255 192.168.50.126 0.0.0.0

    20    permit ip any any

    exit
     
    Assigned to Vlan 50 (Vlan 50 ip access-group Deny-V60 in)
    Result : will case deny all incoming packet (all Vlan) to all host under Vlan 50. Result : after to add line 20 resume normal and allow all incoming packet (all Vlan) to all host under Vlan 50.
     
    Assigned to Vlan 60 (Vlan 60 ip access-group Deny-V60 out)
    Result : will case deny all in/out packet form Vlan 60 segment to any host.
    Result : after to add line 20 resume normal and allow all in/out packet form Vlan 60.
     
    We're no idea how to setup ACL any more !!!


  • 2.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 04, 2011 10:52 AM

    Hi Aaron

     

    1). In which direction did you apply the ACL ? In or out ?

    2). For this one

    Assigned to Vlan 50 (Vlan 50 ip access-group Deny-V60 in)
    Result : will case deny all incoming packet (all Vlan) to all host under Vlan 50. Result : after to add line 20 resume normal and allow all incoming packet (all Vlan) to all host under Vlan 50.

     

    -- Try the outbound direction. Since your ACL read Permit deny 60 to 50

     

    Assigned to Vlan 60 (Vlan 60 ip access-group Deny-V60 out)
    Result : will case deny all in/out packet form Vlan 60 segment to any host.
    Result : after to add line 20 resume normal and allow all in/out packet form Vlan 60.

     

    -- Try the inbound direction. Since your ACL read Permit deny 60 to 50

     

    HTH

    Gerhard



  • 3.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 04, 2011 11:46 PM

    Hi Gerhard,

     

    Thanks your reply !

     

    Did you mean I need to apply both in/out direction on Vlan 50 & Vlan 60 ?

     

    Like this ?

     

    vlan 50
       name "VLAN50"
       untagged A2-A13,A17-A19,A21-A24,B2-B13,B17-B19,B22-B23,C1-C4,C7-C13,C17-C19,C21,C23,K3-K4,Trk21
       ip address 192.168.50.254 255.255.255.0
       tagged C20,Trk1-Trk5,Trk8,Trk10,Trk13-Trk14
       jumbo

      ip access-group Deny-V60 in

      ip access-group Deny-V60 out
       exit
    vlan 60
       name "VLAN60"
       untagged A20
       ip helper-address 192.168.50.200
       ip helper-address 192.168.50.201
       ip address 192.168.60.254 255.255.255.0
       tagged C20,Trk1-Trk2,Trk5,Trk8,Trk10
       jumbo

      ip access-group Deny-V60 in

      ip access-group Deny-V60 out

       exit

     

    thx

    Aaron



  • 4.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 05, 2011 04:59 AM

    Hi Aaron

     

    You can either

    1). Apply it on vlan 50 on the outbound direction

    2). Apply it on vlan 60 in the inbound direction

     

    Or you can do both 1 and 2.

     

    HTH

    Gerhard



  • 5.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 05, 2011 05:31 AM

    Hi Gerhard,

     

    I tried both way either in Vlan50 or Vlan60

    1). Apply it on vlan 50 on the outbound direction

    Result : Any host can access any Vlan, seem no filter !

     

    2). Apply it on vlan 60 in the inbound direction

    Result : All host cannot access to Vlan60 and All host under Vlan60 cannot acces to any vlan. but they can pingable to gateway (192.168.60.254)

     

    Acturally, I just want to filter those win client form Vlan60 to access some Host in Vlan 50 , but the setting case me to either permit all or deny all.

     

    Could someone help !!



  • 6.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 06, 2011 07:06 AM

    Hi Aaron

     

    YOu have to do it on both switches. I assume the switches are running VRRP. Your client are pointing at the virtual IP address.

     

    HTH

    Gerhard

     

     



  • 7.  RE: ACL to deny IP access form Vlan to dest. Host

    Posted Jul 07, 2011 09:56 PM

    Yes, we've two 5412zl as Core and running VRRP, those client pointing at the virtural IP (192.168.xx.254 ).

     

    But I tried to run the same ACL on the standalnoe switches 3500yl-48G with IP routing to simulate 5412zl Core configurations for test the result is same.

     

     

     

    thx!

    Aaron,Jau