Network Management

 View Only

  • 1.  ACL to block access to management vlan

    Posted Oct 09, 2024 01:46 PM

    Hi,

    I am looking to block traffic from my 192.168.59.0/24 network on VLAN 10 (user network) to my 192.168.254.0/24 network on VLAN 255 (management network), except for a couple of specific IP addresses. Since I have to apply this change live, I would like to confirm if the ACL below is correct.

    ip access-list extended "PROD_TO_MGMT_ACL"
     10 permit ip 192.168.59.36 0.0.0.0 192.168.254.0 0.0.0.255
     20 permit ip 192.168.59.22 0.0.0.0 192.168.254.0 0.0.0.255
     30 permit ip 192.168.59.1 0.0.0.0 192.168.254.0 0.0.0.255
     35 permit ip 192.168.59.2 0.0.0.0 192.168.254.0 0.0.0.255
     40 permit ip 192.168.59.0 0.0.0.255 192.168.59.254 0.0.0.0  (Allow communication within the subnet)
     50 deny ip 192.168.59.0 0.0.0.255 192.168.254.0 0.0.0.255  (Deny all other traffic to the management network)
     60 permit ip any any  (Allow all other traffic, including internet)


  • 2.  RE: ACL to block access to management vlan

    Posted Oct 09, 2024 02:47 PM
    Hi, if applied as an (in)gress ACL to your VLAN 10 it looks good enough...but...what is the specific reason for the permit ACE number 40?

    40 permit ip 192.168.59.0 0.0.0.255 192.168.59.254 0.0.0.0 (Allow communication within the subnet)

    With the above ACE - I believe - you are trying to basically permit any (IP) traffic between any Host belonging to the source 192.168.59.0 /24 Subnet which is destined to a specific Host belonging to that very same Subnet (traffic which could be - and de-facto it is - reached via a non routed, but simply switched communication, given those ACE's sources and that destination).

    Probably the 192.168.59.254 IP address represents the Subnet's Gateway (VLAN 10 SVI)...if so...through that IP the traffic for any other possible destination is then automatically routed...but against that IP any switched traffic occurring just inside (thus within the) Subnet will not necessarily hit it (if that traffic is not explicitly destined to it).

    Does it make sense?

    IMHO your ACL should work also without the ACE number 40, in other terms I believe that that ACE will never receive any hit (so it is useless).

    Try and look at ACL permit/deny collected statistics once you do a little permitted/denied traffic attempts (say from an host on that source Subnet).

    Do not forget ICMP dedicated (permit) ACEs, eventually.

    Cheers.




    Original Message


Related Content