Wired Intelligent Edge

Hi,

I need to apply some ACLs to block the users' subnet (192.168.77.0) from reaching out to the server's network (192.168.1.0) but allow them to access some Ports on the Servers and be able to use the Internet. What is the proper way to do that?

1. 192.168.1.0 (VLAN 1 Server, Core Switch and Firewall Subnet)

2. 192.168.1.1 (Core Switch)

3. 192.168.1.2 (Internet Firewall)

4. 192.168.5.1 (Management VLAN 5, Core and Access Switches)

5. 192.168.77.0 (VLAN 77 Users' Subnet)

5. 192.168.77.1 (Users PCs' Default Gateway)

6. 192.168.5.1 (Access Switches' Default Gateway, VLAN 1 Disabled)

Thanks.

Hi, not having specified which type of switch you're referring to I could only gave you generic few tips: apply ACL near to the source of the traffic (thus apply it to manage traffic of user's subnet 192.168.77.0) and, since ACL are generally stateless (on HPE/Aruba switches) start with on direction (traffic egressing the VLAN to "rest of the world")...this will translate to create an ACL which:

(1) permit 192.168.77.0 subnet to connect (IP or specific protocol/port <- it's up to your requirements) to specific destinations on Servers' subnet.

(2) deny 192.168.77.0 subnet to connect to any other internal segment (VLAN)    

(3) permit 192.168.77.0 subnet to connect to any other network which is not denied before

(4) apply such ACL to the VLAN on the incoming direction (seen from the SVI interface on the routing Switch)

Clearly this applies if your Switch is the router for your network segments (subnets). Is it?

Then one could evaluate the case to create an ACL protecting the Server's subnet...but that is just an another step.

Pay attention on where you are to avoid locking you out.

Thanks for the reply.

Yes, it is the router and the model is 5400Rzl2.