Working on getting my network segregated a bit to protect us a bit more from having ransomware cryptolock every workstation on our network.
I have a bunch of VLANs that contain user workstations. Presently, every workstation VLAN can talk to every other VLAN.
The goal is the following: User VLANs (example VLAN705) can only communicate with the following other VLANs:
- SERVER Vlan (10.55.55.0 255.255.255.0)
- IT VLAN (10.85.55.0 255.255.255.0)
-
a single host on another VLAN (that single host is 192.168.2.8 255.255.248.0), but not any other hosts on that VLAN.
-
They should also be able to access the internet freely, and the subnet of the router is 10.88.88.0 255.255.255.252.
I've tried umpteen different ACL combos and I can't figure it out. Here's the current ACL I'm working with:
ip access-list extended USERVLANS permit ip 10.55.55.0 0.0.0.255 any permit ip 10.88.88.0 0.0.0.3 any permit ip 10.88.89.128 0.0.0.127 any permit ip 192.168.2.8 0.0.7.255 any deny ip any any int vlan 705 ip access-group USERVLANS in
I know I'm completely screwing this up but idk how.
No comments:
Post a Comment