ACL "Me" Interface
The "Me" interface in the ACL looks to be like the INPUT rules of iptables... I'm attempting to block ping from all interfaces except for the interface the traffic originates. If a host is on Interface 1 they can ping interface 1 but not interface 2, interface 3, etc. I can configure the ACL to block all pings to the "Me" interface, but it seems that the web interface is not granular enough to write a rule for traffic on interface 1 to not ping the interface on interface 2. Blocking all other traffic except ping is pretty straight forward. I even attempted to block via IP Groups, but I am still able to ping across VLANs/ interfaces on the router... What am I missing?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Roaming9231
Thanks for posting in our business forum.
Do you need to describe again your issue in a clearer way? Not sure what you mean and your expectations.
And what's your current ACL rule? Would be nice if you have the screenshot.
- Copy Link
- Report Inappropriate Content
@Clive_A Here's a hopefully more clear example:
Example Network:
LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24
LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24
LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24
Requirement:
1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.
2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.
3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.
Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.
An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly. If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.
I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?
I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured...
I'll try some more combinations of ACL rules and see if I stumble across something that may work...
- Copy Link
- Report Inappropriate Content
Hi @Roaming9231
Thanks for posting in our business forum.
Roaming9231 wrote
@Clive_A Here's a hopefully more clear example:
Example Network:
LAN1 - LAN Router Interface 1 - VLAN 1 - 10.0.0.1/24
LAN2 - LAN Router Sub-Interface 2 - VLAN 99 - 10.0.1.1/24
LAN3 - LAN Router Sub-Interface 3 - VLAN 100 - 10.0.2.1/24
Requirement:
1. If a user is on LAN1 the user should be able to ping the interface IP of LAN1. User should not be able to ping the IP of LAN2 and LAN3.
2. If a user is on LAN2 the user should be able to ping the interface IP of LAN2. User should not be able to ping the IP of LAN1 and LAN3.
3. If a user is on LAN3 the user should be able to ping the interface IP of LAN3. User should not be able to ping the IP of LAN1 and LAN2.
Without an ACL in place the default experience is that any user on any LAN can ping any LAN Router interface.
An ACL can be built to deny traffic to the "Me" interface, which looks to me similiar to the iptables INPUT chain. The "Me" interface decribes any traffic destined for an interface configured on the router directly. If you configure the ACL to deny ICMP to the "Me" interface, it block pings from ALL LANs to ALL configured interfaces.
I have been able to isolate ping responses from all interface but one (see pic below). This allows pings from users on the LAN1 interface to the LAN1 router interface IP. But it denies ping from all other router interfaces. This indicates to me that there that the "Me" interface is considered by the ACL as a global parameter and there is no ability to set the ACL more granularly on a per router interface level. Is this assumption true?
I've tried this on both the interface level and the IP level by blocking 10.0.0.0/24 to 10.0.1.0/24 but ping replys still occur from all subnets configured on the router. I've also tried to block traffic from 10.0.0.0/24 to 10.0.1.1/32 and ping replys still occured...
I'll try some more combinations of ACL rules and see if I stumble across something that may work...
To meet your requirements, try this.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 496
Replies: 3
Voters 0
No one has voted for it yet.