cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
369
Views
0
Helpful
5
Replies

Examples using PBR between networks

iholdings
Level 1
Level 1

Network A and network B connected with routers via WAN. I need to be able to restrict one host (IP) on NetA to to a single host in NetB - and not allow the NetA host to access any other hosts in NetaA or NetB.

Is PBR something that can do this?

Thanks

1 Accepted Solution

Accepted Solutions

The ACL would be applied to the LAN interface where NET A is connected.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Perhaps I am not clear on what you are trying to accomplish. But if the objective is to allow one host (x) on NET A to communicate only with a single host (y) on NET B and not communicate with any other host, then it seems to me that this can be done with access list filtering. I do not see what PBR would do for this.

note that while access list filtering can certainly prevent host (x) in NET A from communicating with any other host in NET B, it can not restrict the ability of host (x) to communicate with other host in NET A (and PBR would not help with that either). host (x) does not need to go through the router to get to other host in NET A so the router is not able to restrict that access.

HTH

Rick

HTH

Rick

Thank you for a prompt reply.

I'm a bit of a noob on this type of scenario. What would ACLs look like on both routers? If I really needed to retrict (x) Net A from access other hosts on Net A (not passing through a router) could I configure a VLAN to accomplish this? If so - what ACLs on the routers would accomplish both Net A and restrictions for the (x) host on NetA and the single host (x)Net B?

If you want to restrict a specific host on NET A (x.x.x.x) so that it communicates with a specific host on NET B (y.y.y.y) and not with any other host on NET B then you would need an access list on the router of NET A but I do not see any necessity for an access list on the router of NET B.

Should the host on NET A be able to communicate with other networks (access the Internet etc) or is its access limited to only the host on NET B? It makes a difference in how you would write the access list. Assuming that the host should access only the single host on NET B the access list might look something like this:

access-list 101 permit ip host x.x.x.x host y.y.y.y

access-list 101 deny ip host x.x.x.x any

access-list 101 permit ip any any

you would apply the access list to the interface on the router where NET A is connected using the command:

ip access-group 101 in

The host in NET A will be able to communicate with other devices in NET A. Since they are in the same subnet the host will simply ARP for the destination address, receive the ARP response, and communicate directly. There is not anything you can do on the router to prevent this. The only way to isolate the host so that it communicates only with the host in NET B and nothing else would be to create a VLAN/subnet in which the host was the only device in the VLAN/subnet. Or you could leave the host in NET A and move all the other devices from NET A into a different network.

HTH

Rick

HTH

Rick

The ACL you provided will serve our purpose. When you say "apply ACL to interface on the router where Net A is connected - is that the LAN or WAN interface on the Net A router?

I really appreciate all of your help with this task. Thanks.

(at this time I don't know if I need to restrict (x) Net A from accessing hosts on Net A)

The ACL would be applied to the LAN interface where NET A is connected.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco