What i need ACL or Policies to seperate 2 VLANs

[theleftfoot]

hey guys,

i need your help in the form of a example. i'm in my lab for some testing...

i have to 2 Vlans --> vlan (a) 172.16.0.0/22 and the other Vlanb (b) 10.39.0.0/21 both are connected via inter vlan routing. i would like to seperate the two vlans for small security reason.

vlan (a) should only see the dns server (10.39.0.100) in the vlan (b). No other things should be avaiable only the dns server! the other way vlan (b) to Vlan (a) should be closed.

what is the easiest way to resolve this issue? with ip access-list or with policies?

i tryed the policies:

Code: Select all

 create policy
policy network group labor 172.16.0.0 mask 255.255.252.0
policy network group production 10.39.0.0 mask 255.255.248.0
qos apply

the next step should be
- policy action
- policy condition
- policy rules

correct?

it would be very useful for me if some take time to explain me the policies...

cheers rafa

[theleftfoot]

c'mon guys,

can someone give me an example?

thanks in advance

raffa

[dogx010299]

Dear Rafa,

policy condition means which item needs to match, in your case is your network group.

policy action means what action you want to do, in your case is deny.

policy rule means whole situation, what condition (matched) with what action (deny).

For example,

I'm trying to block 192.168.1.0/24
I may use following commands :
policy condition BLK192 source ip 192.168.1.0 mask 255.255.255.0
policy action BLK deny
policy rule RULE01 condition BLK192 action BLK
qos apply

Any source ip with 192.168.1.0/24 will be block on this switch.

Hope this can help you, have a nice day.

Best regards,

Andy

[theleftfoot]

thanks andy,

really apreciate your example.

will give a try in the labor and will come back...

merci raffa

[theleftfoot]

hey guys,

i resolved my problem...

thanks andy for your imputs. made some test in the labor and finally resolve my problem!

here is the code:

Code: Select all

policy network group ICT 192.168.1.0 mask 255.255.252.0
policy network group LABOR  172.16.0.0 mask 255.255.248.0
policy condition ICT_LABOR source network group ICT destination network group LABOREGS
policy condition LABOR_ICT source network group LABOREGS destination network group ICT
policy condition ICT_SCCM source network group ICT destination ip 172.16.1.10
policy condition SCCM_ICT source ip 172.16.1.10 destination network group ICT
policy condition ICT_AD_DNS1 source network group ICT destination ip 172.16.1.11
policy condition AD_DNS1_ICT source ip 172.16.1.11 destination network group ICT
policy condition ICT_AD_DNS2 source network group ICT destination ip 172.16.1.12
policy condition AD_DNS2_ICT source ip 172.16.1.12 destination network group ICT
policy action deny disposition deny
policy action permit
policy rule ICT_SCCM condition ICT_SCCM action permit log
policy rule SCCM_ICT condition SCCM_ICT action permit log
policy rule ICT_AD_DNS1 condition ICT_AD_DNS1 action permit log
policy rule AD_DNS1_ICT condition AD_DNS1_ICT action permit log
policy rule ICT_AD_DNS2 condition ICT_AD_DNS2 action permit log
policy rule AD_DNS2_ICT condition AD_DNS2_ICT action permit log
policy rule ICT_LABOR condition ICT_LABOR action deny log
policy rule LABOR_ICT condition LABOR_ICT action deny log

when i scan the network 172.16.0.0/22 i only see the servers that i want to see...all other device are NOT ping-able!
cheers raffa

btw; if someone have a easier solutions or a diffrent work arround, please post it!