Examples using PBR between networks

Answered Question
May 19th, 2009

Network A and network B connected with routers via WAN. I need to be able to restrict one host (IP) on NetA to to a single host in NetB - and not allow the NetA host to access any other hosts in NetaA or NetB.

Is PBR something that can do this?

Thanks

Correct Answer by Richard Burts about 7 years 9 months ago

The ACL would be applied to the LAN interface where NET A is connected.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 05/19/2009 - 11:54

Perhaps I am not clear on what you are trying to accomplish. But if the objective is to allow one host (x) on NET A to communicate only with a single host (y) on NET B and not communicate with any other host, then it seems to me that this can be done with access list filtering. I do not see what PBR would do for this.

note that while access list filtering can certainly prevent host (x) in NET A from communicating with any other host in NET B, it can not restrict the ability of host (x) to communicate with other host in NET A (and PBR would not help with that either). host (x) does not need to go through the router to get to other host in NET A so the router is not able to restrict that access.

HTH

Rick

iholdings Wed, 05/20/2009 - 03:31

Thank you for a prompt reply.

I'm a bit of a noob on this type of scenario. What would ACLs look like on both routers? If I really needed to retrict (x) Net A from access other hosts on Net A (not passing through a router) could I configure a VLAN to accomplish this? If so - what ACLs on the routers would accomplish both Net A and restrictions for the (x) host on NetA and the single host (x)Net B?

Richard Burts Wed, 05/20/2009 - 03:56

If you want to restrict a specific host on NET A (x.x.x.x) so that it communicates with a specific host on NET B (y.y.y.y) and not with any other host on NET B then you would need an access list on the router of NET A but I do not see any necessity for an access list on the router of NET B.

Should the host on NET A be able to communicate with other networks (access the Internet etc) or is its access limited to only the host on NET B? It makes a difference in how you would write the access list. Assuming that the host should access only the single host on NET B the access list might look something like this:

access-list 101 permit ip host x.x.x.x host y.y.y.y

access-list 101 deny ip host x.x.x.x any

access-list 101 permit ip any any

you would apply the access list to the interface on the router where NET A is connected using the command:

ip access-group 101 in

The host in NET A will be able to communicate with other devices in NET A. Since they are in the same subnet the host will simply ARP for the destination address, receive the ARP response, and communicate directly. There is not anything you can do on the router to prevent this. The only way to isolate the host so that it communicates only with the host in NET B and nothing else would be to create a VLAN/subnet in which the host was the only device in the VLAN/subnet. Or you could leave the host in NET A and move all the other devices from NET A into a different network.

HTH

Rick

iholdings Wed, 05/20/2009 - 04:08

The ACL you provided will serve our purpose. When you say "apply ACL to interface on the router where Net A is connected - is that the LAN or WAN interface on the Net A router?

I really appreciate all of your help with this task. Thanks.

(at this time I don't know if I need to restrict (x) Net A from accessing hosts on Net A)

Correct Answer
Richard Burts Wed, 05/20/2009 - 04:43

The ACL would be applied to the LAN interface where NET A is connected.

HTH

Rick

Actions

This Discussion