Hey, much like many around here, I decided to swap my Unifi gear for Ruckus, and now I'm trying to learn some more advanced stuff (at least for my level), so please bear with me.
I have two VLANs defined on the switch, the default (VLAN 1), which my core infrastructure is connected to, such as switches and servers and then there's VLAN 5, which is where IOT devices and wifi clients are. Now I'm trying to set up some basic ACLs in order to stop devices on VLAN 5 to talk to devices on VLAN 1 (and each other unless specifically permitted).
VLAN 1 network is 10.0.0.0/24
VLAN 5 network is 10.0.5.0/24
Here's the relevant part of the config:
Problem: On my NAS, I have a virtual machine with IP 10.0.5.45, which is on VLAN 5, but that machine can access a physical machine that's on VLAN 1 with IP 10.0.0.9, like SSH or curl, or anything that's open on 10.0.0.9. I was under the impression that my ACL should prevent that with the sequence 70 part of the ACL?
Any pointers would be more than welcome, I've been bashing my head against this for the past couple of days.
Thanks!
I have two VLANs defined on the switch, the default (VLAN 1), which my core infrastructure is connected to, such as switches and servers and then there's VLAN 5, which is where IOT devices and wifi clients are. Now I'm trying to set up some basic ACLs in order to stop devices on VLAN 5 to talk to devices on VLAN 1 (and each other unless specifically permitted).
VLAN 1 network is 10.0.0.0/24
VLAN 5 network is 10.0.5.0/24
Here's the relevant part of the config:
Code:
ver 08.0.95gT213
!
stack unit 1
module 1 icx7150-24p-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-4-sfp-plus-port-40g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
vlan 5 name IOT by port
tagged ethe 1/3/4
router-interface ve 5
ip access-group iot4 in
!
!
!
!
!
interface ethernet 1/3/4
port-name NAS
no optical-monitor
!
interface ve 1
ip address 10.0.0.6 255.255.255.0
ip bootp-gateway 10.0.0.6
ip helper-address 1 10.0.0.8
!
interface ve 5
port-name IOT
ip address 10.0.5.6 255.255.255.0
ip helper-address 1 10.0.0.8
!
ip access-list extended iot4
enable accounting
sequence 10 permit tcp any any established
sequence 20 permit udp any host 10.0.0.8 eq bootps
sequence 30 permit udp any host 10.0.0.8 eq bootpc
sequence 40 permit udp any host 10.0.0.8 eq dns
sequence 50 permit tcp any host 10.0.0.8 eq dns
sequence 60 permit tcp any host 10.0.0.12 eq 32400
sequence 70 deny ip 10.0.5.0 0.0.0.255 10.0.0.0 0.0.255.255 log
sequence 80 permit ip any any
!
!
!
end
Any pointers would be more than welcome, I've been bashing my head against this for the past couple of days.
Thanks!