cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
185
Views
0
Helpful
4
Replies
Highlighted
Beginner

Access list creation

Hi,

 

Can you please help me about below scenario 

I have an access list for a vlan. My requirement is i need to block all communication between this vlan to another , allow only ldap request.

 

Suppose below are the networks

192.168.1.0/24 - Production network

192.168.2.0/24- Test network

 

I want communication from test network to production to allow only ldap request.

 

Thanks, 

4 REPLIES 4
Highlighted
VIP Advisor

Hi there

The following permits LDAP from test to prod, blocks all other traffic to prod, but permits flows to other subnets.

(edited...)

!
ip access-list ext ACL01
  permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip any any
!
int vlan10
  ip address 192.168.2.254 255.255.255.0
  ip access-group ACL10 in
!

 

cheers,

Seb.

Highlighted

Hello

 


@Seb Rupik wrote:

Hi there

The following permits LDAP from test to prod, blocks all other traffic to prod, but permits flows to other subnets.

!
ip access-list ext ACL01
  permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip any any
!
int vlan10
  desc prod_network
  ip access-group ACL10 in
!


Just like to add, the Racl logic regards SVI is as follows:
IN = Traffic originating from within the vlan
Out = Traffic originating from outside the vlan

 

So @Seb Rupik acl would be correct if vlan 10 network is indeed 192.168.2.0 /24 otherwise the acl should be applied OUT

 

Also regards @cesarfer  VACL permit 20 statement even though its good practice to do so there is no need to specify an action forward as its per default anyway.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Cisco Employee

Hello, 

 

If this is a switch then what you need is a VLAN ACL. The configuration guide is found below:

 

 

Example:

 

ip access-list extended TEST

 permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389
  permit udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 389

vlan access-map LDAP 10
match ip address TEST
action drop

vlan access-map LDAP 20
action forward

vlan filter LDAP vlan-list # . --> Here you specify the VLAN where you want to apply this filter.



The way it works is that you create a VLAN access map. The first sequence (10) will drop the traffic you match in the ACL. The second sequence (20) will forward anything else. 

 

Thanks, 


Cesar Fernandez J

 

Highlighted
Content for Community-Ad