Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
865
Views
0
Helpful
4
Replies

access control list on vlan to block/allow access for certain servers and internet

vinodjad1234
Level 2
Level 2

ā€Ž01-19-2011 01:30 PM - edited ā€Ž03-06-2019 03:05 PM

Hi,

I have below vlans with sample address schema configured in layer 3 switch with default gateway ( SVI interface )   :

vlan 2 : 192.168.10.0/28      gateway : 192.168.10.1

vlan 3 192.168.10.64/28      gateway : 192.168.10.65

vlan 4 : 192.168.10.80/28     gateway : 192.168.10.81

Valn 5 : 192.168.10.112/28   gateway : 192.168.10.113

vlan 6 :192.168.10.32/28      gateway : 192.168.10.33

vlan 7 :192.168.10.48/28      gateway : 192.168.10.49

server vlan 9  : 192.168.10.96/28    gateway : 192.168.10.97

along with above details , I have public address ip pool

let say : 215.240.42.192 - 215.240.42.223

I have servers with two NIC cards as it will be having one private IP as well as one public IP for each server from above pool .

take example of below two servers :

1 ) tally server :  Public IP 215.240.42.194

                   Private IP  192.168.10.98

Server vlan gateway will be : 192.168.10.97

                    Public IP gateway : 215.240.42.193

2) internal server : Public IP 215.240.42.195

                   Private IP  192.168.10.99

above details has been  configured in layer 3 switch and its  connected to router .

Below is my query :

  • Tally server should be accessible by vlan 2 & 3 only
  • internal server should be accessible by vlan 3 & 4 only
  • vlan 6 and 7 should be able to access only internet
  • internal server should be accessed by out side using HTTP
  • FTP server should be accessible by vlan 5,6,7

all above details to be configured in layer 3 switch and apply this access-list under specific SVI interface .

How can i achieve it ?

Please share the knowledge .

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

ā€Ž01-19-2011 01:41 PM

You will need to draw all this out and trace all possible data paths. I would suggest that you do whatever you need to to remove the dual NIC's from the servers. It's a pain to troubleshoot and it bypasses any security.

0 Helpful

vinodjad1234
Level 2
Level 2
In response to Collin Clark

ā€Ž01-19-2011 06:59 PM

Hi Colin,

Thanks for your reply.

I would be grateful if you could share some configuration template for at least one condition , so that it would be helpful for me to dig out and configure the rest of the things .

as you mentioned that I need to remove this dual NIC , then what will happen if i want to access this server from internet or outside.

How can i reach to this server without Public IP ?

Please put some light on this ....

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to vinodjad1234

ā€Ž01-20-2011 05:53 AM

A diagram from you would help, but I'll try and explain. Right now you have a NIC that is on the public network. What you can do is remove that NIC and have your firewall NAT to the private address. Your private address will only use it's default gateway for communication leaving the local subnet. That is deterministic traffic flows. We know 100% which way the traffic flows because that is the only way it can flow. Once that is in place we can restrict the traffic flows between the SVI's.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to vinodjad1234

ā€Ž01-20-2011 05:54 AM

Hi,

How can i reach to this server without Public IP ?

you'll have to do static nat or pat with a router or firewall as only high end switches support nat or you can do a VPN and you won't need these

public  ip addresses for the servers.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008011c629.shtml

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents