12-13-2008 09:26 PM - edited 03-04-2019 12:41 AM
dear all
I have cisco 6500 sw...having multiple VLAN
mY Server VLAN are in HSRP i.e vlan ID 128. and my users VLAN are in GLBP ie vlan ID 192
mY SERER IP ADDRESS VLAN RANGE 128.20.0.0/16
AND USER VLAN 192.168.X.X/24
I want to aCHIVE FOLLOWING
I HAVE ONE SERVER 128.20.0.166 currently all users access able to access directly now i want to block direct access to it .
from my user VLAN
CAN SOME ONE GIUDE ME WHICH TYPE OF ACCESS LIST I HEV TO CREATE WITH COMMAND AND WHERE I HEV TO APLLY TO ACHIVE
12-14-2008 12:47 AM
Hello Jitendra,
there are more ways to achieve what you want.
Your scenario should be:
Servers vlan VL128 ---- SVI_Vlan128 === SVI_Vlan192 --- Clients Vlan Vlan 192
The correct tool is an extended IP ACL that allows to specify a source and destination and L4 information like TCP or UDP and ports.
Let's suppose the server 128.20.0.166 is open on TCP port T
You can apply the ACL inbound on SVI Vlan128:
conf t
access-list 121 deny tcp host 128.20.0.166 eq T 192.168.X.0 0.0.0.255
access-list 121 permit ip any any
where T is only there to represent the service port number.
Notice that the TCP port follows the server: the port used on the clients is dynamically negotiated so it cannot be matched.
! applying the ACL inbound
int vlan 128
ip access-group 121 in
Other choices are possible.
Hope to help
Giuseppe
12-16-2008 11:10 PM
I have created access list below
ip access list extented serveracl
10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166
20 permit ip any any
applied to vlan 128 out
i have tried as below
ip access list extented serveracl
10 deny 192.168.1.31 0.0.0.224 host 128.20.0.166
20 permit ip any any
it has blocked for entire 192.168.1.0 range
now tell em wht is my mistake
12-17-2008 12:30 AM
"10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166"
If 192.168.1.31 is ur ip then 0.0.0.255 is not correct it shd be 0.0.0.0. Here u r blocking just for 192.168.1.31
If 192.168.1.0 then it can be 0.0.0.255. here u r blocking for all the host on 192.168.1.0 netwok.
12-17-2008 12:49 AM
I WANT TO BLOCK FROM RANGE 192.168.1.31 TO 192.168.1.255
BETWEEN 192.168.1.1 TO 192.168.1.30 SHLD ALLOW
12-17-2008 12:59 AM
then u can use 192.168.1.0 0.0.0.31
this will allow 192.168.1.1-31 block rest
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide