Hello

armelinobakiaj · ‎01-19-2025

help me create an access list in the home router:

-only Pc1 to access the finance server

-webserver to be accessed by all pc

-database server to be accessed by all pc except PC1

Flavio Miranda · ‎01-19-2025

I dont know which IP address you will use, so, I used representation and you can convert in IP address

ip access-list extended HOME-ROUTER
permit ip host PC1-IP host FINANCE-SERVER-IP
deny ip any host FINANCE-SERVER-IP
deny ip host PC1-IP host DATA-BASE-SERVER-IP
permit ip any any

Apply the ACL on the interface facing switch in "IN" direction.

int X/X

ip access-group HOME-ROUTER in

Joseph W. Doherty · ‎01-19-2025

@Flavio Miranda may have rushed his reply, just a bit.

ip access-list extended HOME-ROUTER
permit ip host PC1-IP host FINANCE-SERVER-IP
deny ip any host FINANCE-SERVER-IP
deny ip host PC1-IP host DATA-BASE-SERVER-IP
permit ip any any

Apply the ACL on the interface facing ~~the~~ switch 1 in "IN" direction.

Additionally, if you want to insure no two way traffic, you can block traffic from the servers outbound (as the above only blocks traffic to the servers - which, again, is likely sufficient).

Also, the above ACL would also work on the interface facing switch 0 in "OUT" direction.

Possibly the above would not be sufficient, to support "only Pc1 to access the finance server", applied as "IN" on switch 1 interface, if you also intend to block Internet hosts to Finance Server too. However, it would work for those hosts too, if applied as "OUT" on switch 0 interface.

Lastly, the above ACL could swap source and destination parameters and be used as "IN" on switch 0 interface or "OUT" on switch 1 interface.

armelinobakiaj · ‎01-19-2025

Can u like solve it

Joseph W. Doherty · ‎01-19-2025

@armelinobakiaj wrote:
Can u like solve it

Yes I can, but believe what @Flavio Miranda originally provided, beyond missing one keyword and making it clear which switch connected interface to apply the ACL on, is a solution.

Is there some reason you believe what we both provided is not a solution? Or, are you looking for something further? Or, did my additional remarks cause you confusion?

armelinobakiaj · ‎01-20-2025

something further would be great

Joseph W. Doherty · ‎01-20-2025

@armelinobakiaj wrote:

something further would be great

Unclear what "further" would be. Can you elaborate?

M02@rt37 · ‎01-19-2025

Hello @armelinobakiaj

Assuming that:

PC1: IP address: 192.168.1.10
Other PCs: IP range: 192.168.1.11 - 192.168.1.254
Finance Server: IP address: 10.0.0.1
Web Server: IP address: 10.0.0.2
Database Server: IP address: 10.0.0.3

ip access-list extended HOME_ACL
remark Allow PC1 to access the finance server
permit ip host 192.168.1.10 host 10.0.0.1
remark Allow all PCs to access the web server
permit ip 192.168.1.0 0.0.0.255 host 10.0.0.2
remark Deny PC1 from accessing the database server
deny ip host 192.168.1.10 host 10.0.0.3
remark Allow other PCs to access the database server
permit ip 192.168.1.0 0.0.0.255 host 10.0.0.3
remark Deny all other traffic
deny ip any any

-- It is generally a good practice to explicitly deny all traffic at the end of an ACL. While Cisco ACLs implicitly deny all traffic not explicitly permitted, adding an explicit deny statement at the end provides clarity, better logging, and debugging capabilities. Also, as concerned applying an extended ACL, the best practice is to apply it as close to the source as possible. This approach minimizes unnecessary traffic in the network because it prevents unwanted packets from traveling far before being dropped.

--Apply this extended ACL on Router's interface facing the Switch1:

interface GigabitEthernetx/x
ip access-group HOME_ACL in

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.