Hi all,
I have setup some ACL to block interVLAN but something is not working. I would like to have your kind guidance.
The network diagram is simple as below:
Firewall > Cisco 3850 > Endpoints
Vlan10 (10.50.10.0/23) is my data network.
Vlan50 (192.168.50/24) is my isolated network.
I have reverse static router on my firewall for Vlan50 to have Internet access.
192.168.50.0/24 > LAN interface > 10.50.10.5
The is the configuration on my switch:
interface Vlan10
ip address 10.50.10.5 255.255.254.0
end
#
interface Vlan50
ip address 192.168.50.5 255.255.255.0
ip access-group RED_ACL in
end
#
sh access RED_ACL
Extended IP access list RED_ACL
10 deny ip 192.168.50.0 0.0.0.255 10.50.0.0 0.0.1.255
100 permit ip 192.168.50.0 0.0.0.255 any
The above configuration works well to block Vlan50 to talk to Vlan10.
But I want to make sure that Vlan10 would not be able to talk to Vlan50. So I created the ACL below:
sh access GREEN_ACL
Extended IP access list GREEN_ACL
10 deny ip 10.50.10.0 0.0.1.255 192.168.50.0 0.0.0.255
100 permit ip 10.50.10.0 0.0.1.255 any
interface Vlan10
ip address 10.50.10.5 255.255.254.0
ip access-group GREEN_ACL in
end
Somehow after applying the ACL to Vlan10 it would lose network connection. A user in Vlan10 can't ping the gateway 10.50.10.5.
I tried to change the ACL to below but would gain access to Vlan10 again but no Internet access....
sh access GREEN_ACL
Extended IP access list GREEN_ACL
10 permit ip any10.50.10.0 0.0.1.255
100 permit ip 10.50.10.0 0.0.1.255 any
I am wondering what I am doing wrong.
No comments:
Post a Comment