NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IP ACL within a VLAN
Hi Community.
I want to block the traffic of an IP range in a VLAN to prevent client communication to each other in the VLAN itself where the .254 IP address ist the gateway of this network
Example:
ip access-list ACL_VLAN_92
permit ip 10.0.92.254 255.255.255.255 10.0.92.0 255.255.255.0 log
permit ip 10.0.92.0 255.255.255.0 10.0.92.254 255.255.255.255 log
deny ip 10.0.92.0 255.255.255.0 10.0.92.0 255.255.255.0 log
permit ip 10.0.92.0 255.255.255.0 0.0.0.0 0.0.0.0 log
exit
ip access-group ACL_VLAN_92 vlan 92 in 1
Description:
line 2: permit all the traffic FROM the gateway into the VLAN (gateway delivers DHCP & DNS & NTP)
line 3: permit all the traffic TO the gateway - same reason
line 4: deny the traffic in the VLAN to prevent client communication as we know it from most WIFI environments, where client communication in the WIFI is prohibited.
line 5: allow all other traffic to other networks routed by the gateway .254
Unfortunately the notation doesn't work - it blocks every traffic. Can you assist? And where can I find the mentioned logs?
Thanks in advance for your help.
Sascha
2 Replies
Hallo Sascha,
This is the the typical confusion of Subnet Masks vs. Wildcards in any kind of ACL - it exists since any kind of network ACL and filtering were introduced.
===
Take a position where you have a VERY structured IP addressing scheme based on 10.0.0.0, and you use the middle two octets to signify where the network is, and what type of network.
Using the high half of the second octet is north. low half south, and use use even numbers for private networks, and odd for public. The third octed being odd means it is a wireless network.
You want to permit private wireless in the south.
Thats 10.0xxxxxx0.xxxxxxx1.don't care
or acces 10 per ip 10.0.1.0 0.129.1.255 simple all those condidtions in one line of an access list.
TBH I quite like it as it is, but I have been working with it for a number of years so am familiar. What this all means is that I can see that it is a mask, and that it is legit (mask must be contiguous so allowed values are 128 192 224 240 248 252 254 and 255) or that is is a wild card. The way it gets presented makes it obvious as well.
10.23.0.0 255.255.0.0 is *clearly* a mask.
0.0.23.46 255.255.0.0 is clearly a wild card, as the bits that are a 1 in the wildcard are zero in the "address".
It may look confusing, but once you get the hang, it makes sense.
===
Yes, it's a step from IP subnetting to filtering. I hope this clarifies things.
Regards,
-Kurt.
Hello Kurt
.
Thanks for your message but to be honest I don't understand anything. I'm experienced with HP Aruba but these NetGear switches work complete diffent regarding ACLs.
What do you mean with north, south or the wildcard stuff? My intension is not to use wildcards, I want to clearly regulate that clients can only communicate with the gateway (10.0.92.254) and that communication with other clients in this IP range (10.0.92.0/24) within this VLAN (VLAN 92) is prevented.
Sorry for my lag of understanding.
Best regards,
Sascha
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
