Page 1 of 1
ACL to separate networks
Posted: 07 Jul 2011 02:41
by telephonist
Hi!
I'm trying to separate users from servers. For servers I use 10.10.0.0/24 net. For management 10.10.x.0/24 net. For User traff I use 10.x.x.0/24 net's.
OS6850 is routing user traff to DG 10.10.0.2 How to close access to 10.10.0.0/24 (exept 10.10.0.2) and to 10.10.x.0/24 ???
Thanks!
Re: ACL to separate networks
Posted: 31 Aug 2011 12:11
by telephonist
Still trying to create this ACL. Completely in dead end. Please help!
Re: ACL to separate networks
Posted: 20 Sep 2011 03:05
by usmanikf
create policy;
>policy network group srvfarm 10.10.0.0 mask 255.255.255.0
>policy network group manage 10.10.X.0 mask 255.255.255.0
>policy condition c1 source network group srvfarm destination network group manage
>policy action a1 disposition drop
>policy rule r1 condition c1 action a1
>qos apply
Re: ACL to separate networks
Posted: 21 Sep 2011 03:58
by one6f
Hi telephoist,
if this still relevant today here is some suggestions.
To separate Users we can join
Server and Management together in
network group srv_mgmt 10.10.0.0 mask 255.255.0.0
I did not quite understand where the gateway for Users (10.10.0.2? ,because this is a Server subnet), but it didn't matter, you can still change this config according your requirements.
Option 1.
Code: Select all
qos enable
policy network group gw 10.10.0.2
policy network group srv_mgmt 10.10.0.0 mask 255.255.0.0
policy network group users 10.1.0.0 mask 255.255.255.0 10.1.1.0 mask 255.255.255.0 10.1.2.0 mask 255.255.255.0
policy condition gw_users source network group gw destination network group users
policy condition srv_mgmt_users source network group srv_mgmt destination network group users
policy condition users_gw source network group users destination network group gw
policy condition users_srv_mgmt source network group users destination network group srv_mgmt
policy action allow
policy action deny disposition deny
policy rule users_gw precedence 160 condition users_gw action allow
policy rule gw_users precedence 150 condition gw_users action allow
policy rule users_srv_mgmt precedence 140 condition users_srv_mgmt action deny
policy rule srv_mgmt_users precedence 130 condition srv_mgmt_users action deny
qos apply
You can also use this network group for Users(and extend accordingly):
Code: Select all
policy network group users 10.1.0.0 mask 255.255.0.0 10.2.0.0 mask 255.255.0.0 10.3.0.0 mask 255.255.0.0
Instead of blocking Users you can block Any and use established connections for Server and Management:
Code: Select all
policy network group allow_gw 10.10.0.2
policy network group srv_mgmt 10.10.0.0 mask 255.255.0.0
policy condition allow_gw_any source network group allow_gw destination ip Any
policy condition any_allow_gw source ip Any destination network group allow_gw
policy condition any_srv_mgmt source ip Any destination network group srv_mgmt
policy condition any_srv_mgmt_est source ip Any destination network group srv_mgmt established
policy condition srv_mgmt_any source network group srv_mgmt destination ip Any
policy action allow
policy action deny disposition deny
policy rule any_allow_gw precedence 160 condition any_allow_gw action allow
policy rule allow_gw_any precedence 150 condition allow_gw_any action allow
policy rule srv_mgmt_any precedence 140 condition srv_mgmt_any action allow
policy rule any_srv_mgmt_est precedence 130 condition any_srv_mgmt_est action allow
policy rule any_srv_mgmt precedence 120 condition any_srv_mgmt action deny
qos apply
I think this should work.
Re: ACL to separate networks
Posted: 31 Oct 2011 22:14
by telephonist
Hi,
I did some redesign of my IP distribution. I've moved all O&M to 172.20.0.0/16 so now the task is just to separate USERS 10.10.x.x from 172.20.0.0/16
Can I do it like
Code: Select all
create policy
policy network group manage 172.20.0.0 mask 255.255.0.0
policy network group users 10.10.0.0 mask 255.255.0.0
policy condition c1 source network group users destination network group manage
policy action a1 disposition drop
policy rule r1 condition c1 action a1
qos apply
Actually all users are on some ports 1/1, 1/2 etc.. Can I block source not IP but PORTs ?
Thanks!
Re: ACL to separate networks
Posted: 01 Nov 2011 14:48
by one6f
Hi,
it will drop ip traffic from 10.10.0.0/16 to 172.20.0.0/16, but not reverse.
Actually all users are on some ports 1/1, 1/2 etc.. Can I block source not IP but PORTs ?
Yes, for example:
Code: Select all
-> policy port group pgroup1 3/1-2 4/3 5/4
-> policy condition c2 source port group pgroup1
In this example, a Layer 2 condition (c2) specifies that traffic matches the ports included of the pgroup1 port group. The condition also specifies that the port group is a source group. Any traffic coming in on ports 1 or 2 on slot 3, port 3 on slot 4, or port 4 on slot 5 matches condition c2.
There is a possibility to create a port group called
UserPorts and add the ports to that group. Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include the UserPorts group in a condition and/or rule for the group to take effect. For more information, please refer to the relevant Network Configuration Guide.