topic Server to Server access list in the same vlan in Switching

Server to Server access list in the same vlan

kupsroach182 — Fri, 08 Mar 2019 17:53:56 GMT

Hi,

Can you help me to implement a server to server access list in the same VLAN. Can you give me a sample configuration? Please find attached file for sample network design

Sample server-server access list in the same VLAN

Server #1 IP Address 192.168.1.1

Server #2 IP Address 192.168.1.2

Server #3 IP Address 192.168.1.3

Server #4 IP Address 192.168.1.4

This access-list sample how to config in the same VLAN.

scenario:

1.) Server #1 can access Server #2 then denied Server #3 & Server #4

2.) Server #2 can access Server #3 then denied Server #1 & Server #4

3.) Server #3 can access Server #1 and Server #2 then denied Server #4

3.) Server #4 denied access to Server #1 and Server #2 and Server #3

Thanks in advance.

Hi

Mark Malone — Fri, 24 Mar 2017 08:47:06 GMT

you should use a mac acl in same vlan , resolve the ips to there macs and block and permit them that way

https://bizzard2000.wordpress.com/2012/04/05/mac-access-list-extended/

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html#concept_A0793814F55647FBAE4B3A3E67E10DBB

mac access-list extended example

permit host 0042.68fc.fc20 host 0042.68fc.fc21

permit host 0042.68fc.fc21 host 0042.68fc.fc20

Hi Mark,

kupsroach182 — Fri, 24 Mar 2017 09:13:15 GMT

Hi Mark,

Thank you, i will try it to my test environment. I got also follow up question is mac access-list can define port control also like eq www, eq 21 or eq icmp? and the last thing where do I put the mac extended access-list?

a. ) mac access-list extended example

permit host 0042.68fc.fc20 host 0042.68fc.fc21 eq icmp

permit host 0042.68fc.fc21 host 0042.68fc.fc20 eq 8080

b. )

interface Vlan2
description *** Server Farm ***
ip address 192.168.1.200 255.255.255.0
ip access-group "mac access-list extended example" in

is this correct?

Thanks

Hi

Mark Malone — Fri, 24 Mar 2017 09:34:41 GMT

no it would be like the doc example below , you can apply it to layer 2 port or layer 3 if your device supports it , there is also VACLs as another option

You don't get the same eq options in macls as ip acls

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#pgfId-1148259

switch#configure terminal
switch(config)#mac access-list extended cisco
switch(config-ext-macl)#permit host 0011.abcd.abcd host 0011.1111.1111
switch(config-ext-macl)#exit
switch(config)#access-list 101 deny ip 10.10.1.0 0.0.0.255 host 10.10.2.2
switch(config)#access-list 101 permit ip any any
switch(config)#interface f0/23
switch(config-if)#switchport mode trunk
switch(config-if)#ip access-group 101 in
switch(config-if)#mac access-group cisco in
switch(config-if)#end
switch#show access-lists
switch#show access-group interface f0/23