I have a Netgear M4300 (which might be the biggest issue, we will see). I have the following VLAN config;
1 vlan 1 192.168.1.30 255.255.255.0
2 vlan 2 192.168.2.1 255.255.255.0
My firewall IP is 192.168.1.254 and I have added a static route to 192.168.2.0/24 via 192.168.1.30. This all seems to work as expected as I have a host on 192.168.2.0/24 that I can see from 192.168.1.0/24 and it can see the internet via NAT.
Eventually, what I am trying to do is block access to the VLAN apart from specific hosts/networks to specific hosts/ports in the VLAN. However, before I get there, I am trying to get my head around ACLs on VLANS and I appear to be failing at the first hurdle.
In order to test this, I have applied the following ACL to VLAN 2;
ACL Name: test
Inbound VLAN ID(s): 2
Sequence Number: 10
Action......................................... deny
Match All...................................... False
Protocol....................................... 1(icmp)
Source IP Address.............................. 192.168.1.195
Source IP Wildcard Mask........................ 0.0.0.0
Destination IP Address......................... 0.0.0.0
Destination IP Wildcard Mask................... 0.0.0.0
ACL Hit Count.................................. 0
Sequence Number: 20
Action......................................... permit
Match All...................................... TRUE
ACL Hit Count.................................. 7395
However, I can still ping 192.168.2.65 from 192.168.1.195. Even if I modify the ACL and add the DENY on 192.168.1.0/24, I can still ping 192.168.2.65.
What am I missing here apart from a decent level of knowledge into how this all works. I feel this should be easy to do, yet it does not work. I want to be able to apply an ACL as described above, but if this doesn't work, I'm dead in the water.
Suggestions?
Thanks
No comments:
Post a Comment