My apologies in advance if this has already been answered.
I have to limit a particular site from reaching other sites via our WAN cloud. I believe the easiest is to "white list" the nets that are allowed and allow the implicit deny all take care of the rest. So my question is this:
stack of 3750G (3) with a WAN VLAN configured
If I apply the following ACL to the VLAN interface (VLAN 10) I should only allow access to the listed networks from the other networks behind the 3750, correct?
ip access-list extended COMP1_TO_COMP2
permit ip host 192.168.67.22 host 192.168.67.10 - WAN Router and BGP Peer
permit ip any host 192.168.67.20 --- Optimizer
permit ip any 10.1.0.0 0.0.255.255 --- net_1
permit ip any 10.10.0.0 0.0.255.255 --- net_2
permit ip any 10.40.0.0 0.0.255.255 --- net_3
ip access-list extended COMP2_TO_COMP1
permit ip host 192.168.67.10 host 192.168.67.22 - WAN Router and BGP Peer
What I am trying to accomplish is to restrict all users at this to only be able to access certain subnets at other sites. And restrict certain sites from accessing this site. Its a legal thing... So the rest of this config would look like:
ip addr 192.168.67.22
ip addr 10.70.0.1/23
ip addr 10.70.30.1/23
There are no users in the VLAN10 on the WAN router, Optimizer, and the Core. So based on your response I should apply the COMP2_TO_COMP1 ACL on the user subnets as an INBOUND and COMP1_to_COMP2 as an OUTBOUND on VLAN 10...
10.70.0.0 users and devices should be blocked from accessing certain (100+) other subnets, while being able to access the contractual subnets and resources. 10.1.0.0 10.10.0.0 10.40.0.0 are some of the allowed subnets. I assumed the ACL lines would be written like this:
permit ip 10.1.0.0 0.0.255.255 any -- this would be inbound from the WAN to the 10.70.0.0 subnets
permit ip any 10.1.0.0 0.0.255.255 -- this would be from the site/user to the rest of the world
I'm thinking that ACL 1 should be applied IN on VLAN 10 and ACL 2 be applied IN on the user VLANs.....
Hope this clarifies...and thank you very much for your help!
So the source of the traffic sits behind that VLAN right?
I certanly prefer to deny the inbound interface on the WAN interface but if you want to do it at the VLAN level then yes you should be good with that! Just remember to allow all the required traffic as this is not a stateful filtering check.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...