Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
726
Views
0
Helpful
4
Replies

Access list creation

sujith
Level 1
Level 1

‎10-08-2018 06:59 AM - edited ‎03-08-2019 04:19 PM

Hi,

 

Can you please help me about below scenario 

I have an access list for a vlan. My requirement is i need to block all communication between this vlan to another , allow only ldap request.

 

Suppose below are the networks

192.168.1.0/24 - Production network

192.168.2.0/24- Test network

 

I want communication from test network to production to allow only ldap request.

 

Thanks, 

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎10-08-2018 07:14 AM - edited ‎10-08-2018 12:20 PM

Hi there

The following permits LDAP from test to prod, blocks all other traffic to prod, but permits flows to other subnets.

(edited...)

!
ip access-list ext ACL01
  permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip any any
!
int vlan10
  ip address 192.168.2.254 255.255.255.0
  ip access-group ACL10 in
!

 

cheers,

Seb.

0 Helpful

paul driver
VIP
VIP
In response to Seb Rupik

‎10-08-2018 09:22 AM - edited ‎10-08-2018 09:32 AM

Hello

 

@Seb Rupik wrote:

Hi there

The following permits LDAP from test to prod, blocks all other traffic to prod, but permits flows to other subnets.

!
ip access-list ext ACL01
  permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip any any
!
int vlan10
  desc prod_network
  ip access-group ACL10 in
!

Just like to add, the Racl logic regards SVI is as follows:
IN = Traffic originating from within the vlan
Out = Traffic originating from outside the vlan

 

So @Seb Rupik acl would be correct if vlan 10 network is indeed 192.168.2.0 /24 otherwise the acl should be applied OUT

 

Also regards @cesarfer  VACL permit 20 statement even though its good practice to do so there is no need to specify an action forward as its per default anyway.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

cesarfer
Cisco Employee
Cisco Employee

‎10-08-2018 08:10 AM

Hello, 

 

If this is a switch then what you need is a VLAN ACL. The configuration guide is found below:

 

 

Example:

 

ip access-list extended TEST

 permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389

vlan access-map LDAP 10
match ip address TEST
action drop

vlan access-map LDAP 20
action forward

vlan filter LDAP vlan-list # . --> Here you specify the VLAN where you want to apply this filter.



The way it works is that you create a VLAN access map. The first sequence (10) will drop the traffic you match in the ACL. The second sequence (20) will forward anything else. 

 

Thanks, 


Cesar Fernandez J

 

0 Helpful
Customers Also Viewed These Support Documents
Top