11-06-2017 11:59 PM - edited 03-08-2019 12:38 PM
Hi,
I need some help with access-list !
i have a subnet 192.168.8.0 255.255.252.0 (VLAN 1)
In the same subnet i have a server 192.168.8.52
in the same subnet i have a range of IP 192.168.9.1 - 192.168.9.127.
Now i want to create an apply an access-list which can deny the IP range to access the server. Rest all should be allowed.
I have tried many possibilities but none of then could stop the server being access from the IP range.
here's what i have finally:
10 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.3 range 67 68
20 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.4 eq 443
30 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.86
40 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.3 eq domain
50 permit tcp 192.168.9.1 0.0.0.127 eq domain host 192.168.8.3
60 permit udp 192.168.9.1 0.0.0.127 host 192.168.8.3 eq domain
70 permit udp 192.168.9.1 0.0.0.127 eq domain host 192.168.8.3
80 deny ip 192.168.9.1 0.0.0.127 host 192.168.8.52
90 deny ip 192.168.9.1 0.0.0.127 192.168.8.0 0.31.255.255
100 permit ip any any
Solved! Go to Solution.
11-07-2017 12:38 AM
Hello,
if your software supports it, you could configure a VACL (VLAN Access List). In your case it would look like below:
access-list 100 permit ip 192.168.9.0 0.0.0.127 host 192.168.8.52
access-list 100 permit ip host 192.168.9.127 host 192.168.8.52
!
vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward
!
vlan filter DENY_SERVER vlan-list 1
11-07-2017 12:06 AM
11-07-2017 01:42 AM
yes i did apply it in the 'IN' direction
interface Vlan1
ip address 192.168.8.1 255.255.252.0
ip access-group abc in
ip helper-address 192.168.8.3
end
11-07-2017 12:38 AM
Hello,
if your software supports it, you could configure a VACL (VLAN Access List). In your case it would look like below:
access-list 100 permit ip 192.168.9.0 0.0.0.127 host 192.168.8.52
access-list 100 permit ip host 192.168.9.127 host 192.168.8.52
!
vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward
!
vlan filter DENY_SERVER vlan-list 1
11-07-2017 01:54 AM
i have never used VACL. however i checked my switch and it does support VACLs. So i am going to try this. one question though, both the server and IP range are in the same VLAN (subnet), will the VACL be able to restrict the access in this case?
and in the below, what does 10, 20 and 1 refer to?
vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward
!
vlan filter DENY_SERVER vlan-list 1
11-07-2017 02:38 AM - edited 11-07-2017 02:41 AM
Hello
You can use a RACL instead.
ip access-list extened no-VLAN9
deny ip 192.168.9.0 0.0.127 host 192.168.8.52
permit ip any any
int vlan 8
ip access-group no-VLAN9 OUT
res
Paul
11-07-2017 02:56 AM
11-07-2017 05:19 AM - edited 11-07-2017 05:25 AM
Hello
In that case you could use a static mac address entry for the server if its the whole vlan you wish to deny
mac-address table static (servers mac address) vlan x drop
res
Paul
11-07-2017 03:23 AM
Hello,
actually, VACLs are designed exactly for that, to restrict intra-Vlan traffic. The 10 and 20 are just sequence numbers, similar to what you see in route maps.
1 is your Vlan, Vlan 1.
11-16-2017 06:53 AM
I have a query though, if u can help please.
i have two subnets:
10.10.10.0 255.255.255.0 (LAN-vlan 2) &
20.20.20.0 255.255.255.0 (Wifi - vlan 20)
i want to block access of a few wifi users to a server in LAN VLAN. say, i do not want users with IPs:
20.20.20.8 & 20.20.20.9 to access the server 10.10.10.11
in this case, what would the vlan-list command end with? source vlan (vlan 20) or destination vlan (vlan 2)
access-list 100 permit ip 20.20.20.8 0.0.0.0 host 10.10.10.11 access-list 100 permit ip 20.20.20.9 0.0.0.0 host 10.10.10.11 ! vlan access-map DENY_Srv 10 match ip address 100 action drop vlan access-map DENY_Srv 20 action forward ! vlan filter DENY_Srv vlan-list 2 /20
11-16-2017 05:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide