Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
3
Helpful
3
Replies

Access-list for response port

Go to solution
chpmotry
Level 1
Level 1

‎11-09-2023 08:54 PM - edited ‎11-09-2023 09:43 PM

Hi guys.

I have a network with below topology :

Capture.JPGServer vlan two should can only answer the remote request of server vlan three and has no other permissions. Server vlan three should is unlimited access

I typed below commands in switch-core of my top topology 

ip access-list extended acl-vl2

permit tcp host 172.16.2.2 host 172.16.3.2 eq 3389 established 

deny ip any any 

int vlan 2

ip add 172.16.2.1 255.255.255.0

ip acces-group acl-vl2 in

int vlan 3

ip add 172.16.3.1 255.255.255.0

But result of this commands was that the server vlan 2 could  still remoting to server vlan 3?

I tested the below command :

ip access-list extended acl-vl2

 

permit tcp host 172.16.2.2 host 172.16.3.2 established 

 

deny ip any any 

but the result did not change .

What command i should typing to fix this problem?

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎11-09-2023 10:25 PM

Hello @chpmotry 

 

Server vlan two should can only answer the remote request of server vlan three and has no other permissions.

ip access-list extended acl-vl2

permit tcp host 172.16.2.2 eq 3389 host 172.16.3.2 

deny ip any any 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

3 Replies 3

Go to solution
M02@rt37
VIP
VIP

‎11-09-2023 10:25 PM

Hello @chpmotry 

 

Server vlan two should can only answer the remote request of server vlan three and has no other permissions.

ip access-list extended acl-vl2

permit tcp host 172.16.2.2 eq 3389 host 172.16.3.2 

deny ip any any 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to M02@rt37

‎11-10-2023 05:22 AM

"Server vlan two should can only answer the remote request of server vlan three and has no other permissions."

What M02@rt37 provided for the ACE is likely "good enough", but you might further tighten it with a variation from OP, i.e.:

permit tcp host 172.16.2.2 eq 3389 host 172.16.3.2 established 

Also as request was just to block the VLAN 2 server, you might also change:

deny ip any any !also blocks all other hosts on that VLAN

to:

deny ip host 172.16.2.2 any !Of course, still keeping the prior permit ACE too.
permit ip any any

 

Go to solution
chpmotry
Level 1
Level 1
In response to Joseph W. Doherty

‎11-10-2023 07:37 AM

Thank you so much @Joseph W. Doherty

I test your commands and recommendation.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card