Reply
Highlighted
New Member
Posts: 5
Registered: 2 weeks ago
Accepted Solution

ES24 access-list/group VLAN - no access to subnet

 

My intention is to grant access for 192.168.180.0/24 (vlan 10) to 192.168.110.0/24 (vlan 110)

ip access-list VLAN110
permit ip 192.168.180.0 0.0.0.255 192.168.110.0 0.0.0.255
deny ip any any
exit

ip access-group VLAN110 vlan 110 in

 

Unfortunatly, after applying the access-list/group I can't reach the 192.168.110.0/24 from 192.168.180.0/24. Just the gateway interface of vlan 110 (192.168.110.2) will answer to ping. I guess this is by intention?


There is no other ACL in place.

 

interface vlan 10
description 'DATA'
routing
ip address 192.168.180.2 255.255.255.0
exit
interface vlan 110
routing
ip address 192.168.110.2 255.255.255.0
exit


Any idea?


Accepted Solutions
Ubiquiti Employee
Posts: 2,657
Registered: ‎05-08-2017
Kudos: 464
Solutions: 384

Re: ES24 access-list/group VLAN - no access to subnet


ip access-list VLAN110
 permit ip 192.168.110.0 0.0.0.255 192.168.180.0 0.0.0.255
 deny ip any any
 exit

ip access-group VLAN110 vlan 110 in

 

Did not do the trick! Access from 180 works now, but egress of 110 is blocked to everthing other than the 180.


 

This is caused by the deny ip any any statement. If you wish to block specific subnets, while allowing everything else (for example internet traffic), you need deny statements and a permit ip any any at the end of the ACL.

 


However, I still do not get the logic behind it. From my understanding the 180 is still the source address. Why is it not possible to block incoming traffic on the incoming path?


 

It is possible to block traffic on the incoming path, but then you need to apply the ACL ingress on the other VLANs. 

 

-Ben

 


 

Ben Pin | Ubiquiti Support

View solution in original post


All Replies
Ubiquiti Employee
Posts: 2,657
Registered: ‎05-08-2017
Kudos: 464
Solutions: 384

Re: ES24 access-list/group VLAN - no access to subnet

[ Edited ]

Hi @mschmitter, welcome to the Community!

 

Your ACL is applied on the wrong VLAN. If you want to allow 192.168.180.0/24 to access 192.168.110.0/24, the ACL needs to be applied on the VLAN10 interface in the ingress/in direction.

 

We have a help-center article on limiting Inter-VLAN traffic here.

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 5
Registered: 2 weeks ago

Re: ES24 access-list/group VLAN - no access to subnet

Hi @UBNT-benpin,

 

thanks for your help.

 


We have a help-center article on limiting Inter-VLAN traffic here.

 

Belive me! I did made use of it. However, unfortunately, I guess I have some trap in my way of thinking. I thought I might configure VLAN110 to define what is allowed to come in(gress). Appears to be more reasonable.

 

Based on your suggestion: This will mean I need to attach the ACL to any of my VLANs (around 8) to prevent ingress to VLAN 110 and its subnet? Is there any way to turnaround the logic?

 

The intention is to just let VLAN10 with subnet 192.168.180.0/24 ingress to VLAN 110 and 192.168.110.0/24. All others Subnets and VLANS must be dropped.

 

Is there any better/global way to do this?

 

Cheers

 

Martin

Ubiquiti Employee
Posts: 2,657
Registered: ‎05-08-2017
Kudos: 464
Solutions: 384

Re: ES24 access-list/group VLAN - no access to subnet

Hi @mschmitter,

 

If you only want to apply the ACL ingress on VLAN110, all you need to do is revert the ACL source and destination ranges.

 

The downside is that traffic will be dropped on the return path instead. So if another VLAN wants to access VLAN110 it will first be allowed, but the return traffic will be dropped.

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 5
Registered: 2 weeks ago

Re: ES24 access-list/group VLAN - no access to subnet

[ Edited ]

Hi @UBNT-benpin,

 

first of all, thanks for your help:

 

ip access-list VLAN110
 permit ip 192.168.110.0 0.0.0.255 192.168.180.0 0.0.0.255
 deny ip any any
exit

ip access-group VLAN110 vlan 110 in

 

Did not do the trick! Access from 180 works now, but egress of 110 is blocked to everthing other than the 180.

 

However, I still do not get the logic behind it. From my understanding the 180 is still the source address. Why is it not possible to block incoming traffic on the incoming path?

 

 

Cheers

 

Martin

Ubiquiti Employee
Posts: 2,657
Registered: ‎05-08-2017
Kudos: 464
Solutions: 384

Re: ES24 access-list/group VLAN - no access to subnet


ip access-list VLAN110
 permit ip 192.168.110.0 0.0.0.255 192.168.180.0 0.0.0.255
 deny ip any any
 exit

ip access-group VLAN110 vlan 110 in

 

Did not do the trick! Access from 180 works now, but egress of 110 is blocked to everthing other than the 180.


 

This is caused by the deny ip any any statement. If you wish to block specific subnets, while allowing everything else (for example internet traffic), you need deny statements and a permit ip any any at the end of the ACL.

 


However, I still do not get the logic behind it. From my understanding the 180 is still the source address. Why is it not possible to block incoming traffic on the incoming path?


 

It is possible to block traffic on the incoming path, but then you need to apply the ACL ingress on the other VLANs. 

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 5
Registered: 2 weeks ago

Re: ES24 access-list/group VLAN - no access to subnet

Thanks for your patience! I guess, I got the point know.

 

Anyway, this does not sound very handy. Any chance to raise an enhancement request?

 

Cheers

 

Martin

Reply