Friday, November 12, 2021

VLAN ACL security - what am I missing here

I have a Netgear M4300 (which might be the biggest issue, we will see). I have the following VLAN config;

1 vlan 1 192.168.1.30 255.255.255.0

2 vlan 2 192.168.2.1 255.255.255.0

My firewall IP is 192.168.1.254 and I have added a static route to 192.168.2.0/24 via 192.168.1.30. This all seems to work as expected as I have a host on 192.168.2.0/24 that I can see from 192.168.1.0/24 and it can see the internet via NAT.

Eventually, what I am trying to do is block access to the VLAN apart from specific hosts/networks to specific hosts/ports in the VLAN. However, before I get there, I am trying to get my head around ACLs on VLANS and I appear to be failing at the first hurdle.

In order to test this, I have applied the following ACL to VLAN 2;

ACL Name: test

Inbound VLAN ID(s): 2

Sequence Number: 10

Action......................................... deny

Match All...................................... False

Protocol....................................... 1(icmp)

Source IP Address.............................. 192.168.1.195

Source IP Wildcard Mask........................ 0.0.0.0

Destination IP Address......................... 0.0.0.0

Destination IP Wildcard Mask................... 0.0.0.0

ACL Hit Count.................................. 0

Sequence Number: 20

Action......................................... permit

Match All...................................... TRUE

ACL Hit Count.................................. 7395

However, I can still ping 192.168.2.65 from 192.168.1.195. Even if I modify the ACL and add the DENY on 192.168.1.0/24, I can still ping 192.168.2.65.

What am I missing here apart from a decent level of knowledge into how this all works. I feel this should be easy to do, yet it does not work. I want to be able to apply an ACL as described above, but if this doesn't work, I'm dead in the water.

Suggestions?

Thanks



No comments:

Post a Comment