I have a Dell 6224 powerconenct switch acting as the core switch on our network. I have a number of VLANs configured, and the time has come for us to now consider blocking traffic between specific VLANs.
I currently use VLANs 2 – 10 and their respective subnets are 10.58.v.0/24 (where v is the VLAN ID). The router interface on each VLAN is 10.58.v.1
For example VLAN 5 uses 10.58.5.0/24, with a gateway of 10.58.5.1
What I want to do, is to block all IP traffic between VLAN 5 and VLAN 8, i.e. anything with an IP in the range of 10.58.5.0/24 can't communicate with anything in 10.58.8.0/24 and vice versa.
As this is a production network (and I don't have a test environment available), I don't want to just start creating ACLs, in case I mess up.
My first thought was to create an access list such as..
access-list testacl deny ip 10.58.5.0 255.255.255.0 10.58.8.0 255.255.255.0
But I don't really know if this needs to be assigned to a specific interface?
Update:
I've been reading further and realise that I now need to add a permit rule, for everything else, otherwise the implied deny all rule will block everything, so my testacl now looks like this:
access-list testacl deny ip 10.58.5.0 255.255.255.0 10.58.8.0 255.255.255.0
access-list testacl permit every
But I'm still unsure if this is correct, and would appreciate any assistance, as I don't want to risk reconfiguring production switches without fully understanding other possible side effects of what I'm doing.
Best Answer
I hate answering my own questions, but as I've now resolved this, this might help someone else.
Firstly, the netmask above is incorrect, I should have used a Wild Card Mask
After some research I found that the correct commands to create the ACL were:
...and to apply the ACL, I used the following:
After the research I did, I felt confident to apply the ACL to the production switches, and the change worked flawlessly.