https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028483#M135430 <P>Hi</P> <P></P> <P>I had a quick look at your design.</P> <P>First of all, as your distribution switches will act as default gateway, you don't need to setup an IP for all vlans on each 2960 access switches. You can remove those SVI for vlans 20,30 and 40.</P> <P>You can just keep vlan 1 as management vlan. Be careful on the default-gateway you configure on access switches. It should the HSRP VIP ip of your vlan 1. Those switches will act as Layer 2 that means there aren't gonna do any routing.</P> <P></P> <P>On your distribution switches, the hsrp config has to be the same on both switches. Only the priority will change.</P> <P>This is your config:</P> <P>### DISTRIBUTION 2 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00e0.a39d.cd04<BR /> ip address 192.168.40.2 255.255.255.0<BR /> standby 0 ip 192.168.40.101<BR /> standby 0 preempt</P> <P>### DISTRIBUTION 1 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00d0.583a.1204<BR /> ip address 192.168.40.6 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 priority 150<BR /> standby 0 preempt<BR />!</P> <P></P> <P>The config should be:</P> <P>### DISTRIBUTION 2 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00e0.a39d.cd04<BR /> ip address 192.168.40.2 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 preempt</P> <P>### DISTRIBUTION 1 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00d0.583a.1204<BR /> ip address 192.168.40.6 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 priority 150<BR /> standby 400 preempt<BR />!</P> <P></P> <P>In terms on access-list, I will write down the acl to allow only host 192.168.40.22 to access http, deny all others accessing this server in http and allowing every other protocols. This acl will be applied on your router called Border Router on interface G0/0:</P> <P>ip access-list extended 190</P> <P>&nbsp;1 permit tcp host 10.0.0.18 eq 80 host 192.168.40.22</P> <P>&nbsp;2 deny tcp host 10.0.0.18 eq 80 any&nbsp;</P> <P>&nbsp;3 permit ip any any</P> <P>!</P> <P>interface g0/0</P> <P>&nbsp;ip access-group 190 in</P> <P></P> <P>Hope that answers your questions.</P> <P></P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your questions.</P> <P></P> Fri, 19 May 2017 21:39:42 GMT Francesco Molino 2017-05-19T21:39:42Z https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028482#M135426 <P>Hi everyone&nbsp;</P> <P>I study CCNA and have network created in Packet tracer with 4 vlans. I want to restrict some of the specific hosts from www:</P> <UL> <LI>VLAN 20 hosts 192.168.20.22 and 192.168.20.23</LI> <LI>VLAN 30 hosts 192.168.30.22 and 192.168.30.23</LI> <LI>VLAN 40 hosts 192.168.40.22 and 192.168.30.23&nbsp;</LI> </UL> <P>I set WEB server in outside network but also not sure if settings are OK. I want to block those hosts from any www traffic&nbsp;</P> <P>I'm not sure which interface and what access list (standard/extended) to apply with that topology and &nbsp;NAT</P> <P>Because it will be very difficult to explain whole case&nbsp;and all the IP addresses, I attached .pkt file&nbsp;</P> <P>Any help will be much appreciated.</P> <P></P> <P>Kind Regards Peter Majchrzak &nbsp; &nbsp;&nbsp;</P> Tue, 12 Mar 2019 09:23:19 GMT https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028482#M135426 enginerster 2019-03-12T09:23:19Z https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028483#M135430 <P>Hi</P> <P></P> <P>I had a quick look at your design.</P> <P>First of all, as your distribution switches will act as default gateway, you don't need to setup an IP for all vlans on each 2960 access switches. You can remove those SVI for vlans 20,30 and 40.</P> <P>You can just keep vlan 1 as management vlan. Be careful on the default-gateway you configure on access switches. It should the HSRP VIP ip of your vlan 1. Those switches will act as Layer 2 that means there aren't gonna do any routing.</P> <P></P> <P>On your distribution switches, the hsrp config has to be the same on both switches. Only the priority will change.</P> <P>This is your config:</P> <P>### DISTRIBUTION 2 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00e0.a39d.cd04<BR /> ip address 192.168.40.2 255.255.255.0<BR /> standby 0 ip 192.168.40.101<BR /> standby 0 preempt</P> <P>### DISTRIBUTION 1 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00d0.583a.1204<BR /> ip address 192.168.40.6 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 priority 150<BR /> standby 0 preempt<BR />!</P> <P></P> <P>The config should be:</P> <P>### DISTRIBUTION 2 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00e0.a39d.cd04<BR /> ip address 192.168.40.2 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 preempt</P> <P>### DISTRIBUTION 1 ###</P> <P>interface Vlan40<BR /> description Sales<BR /> mac-address 00d0.583a.1204<BR /> ip address 192.168.40.6 255.255.255.0<BR /> standby 40 ip 192.168.40.100<BR /> standby 40 priority 150<BR /> standby 400 preempt<BR />!</P> <P></P> <P>In terms on access-list, I will write down the acl to allow only host 192.168.40.22 to access http, deny all others accessing this server in http and allowing every other protocols. This acl will be applied on your router called Border Router on interface G0/0:</P> <P>ip access-list extended 190</P> <P>&nbsp;1 permit tcp host 10.0.0.18 eq 80 host 192.168.40.22</P> <P>&nbsp;2 deny tcp host 10.0.0.18 eq 80 any&nbsp;</P> <P>&nbsp;3 permit ip any any</P> <P>!</P> <P>interface g0/0</P> <P>&nbsp;ip access-group 190 in</P> <P></P> <P>Hope that answers your questions.</P> <P></P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your questions.</P> <P></P> Fri, 19 May 2017 21:39:42 GMT https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028483#M135430 Francesco Molino 2017-05-19T21:39:42Z https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028484#M135432 <P>Thank you&nbsp;<A href="https://supportforums.cisco.com/users/supportlan" title="View user profile." class="username" lang="" about="/users/supportlan" typeof="sioc:UserAccount" property="foaf:name" datatype="">Francesco Molino</A>&nbsp;for your answer, yes it did answer my question. Thanks for your help looks much more clear now.</P> <P></P> <P></P> <P>Regards Peter Majchrzak&nbsp;</P> Sat, 20 May 2017 12:25:03 GMT https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028484#M135432 enginerster 2017-05-20T12:25:03Z https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028485#M135434 <P>You're welcome.&nbsp;</P> <P>Can you mark please my answer as correct answer?&nbsp;</P> <P></P> <P>Thanks</P> Sat, 20 May 2017 12:55:51 GMT https://community.cisco.com/t5/network-security/problem-with-acl/m-p/3028485#M135434 Francesco Molino 2017-05-20T12:55:51Z