Solved: access list to restrict access in same VLAN/Subnet

night-fury · ‎11-06-2017

Hi,

I need some help with access-list !

i have a subnet 192.168.8.0 255.255.252.0 (VLAN 1)

In the same subnet i have a server 192.168.8.52

in the same subnet i have a range of IP 192.168.9.1 - 192.168.9.127.

Now i want to create an apply an access-list which can deny the IP range to access the server. Rest all should be allowed.

I have tried many possibilities but none of then could stop the server being access from the IP range.

here's what i have finally:

10 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.3 range 67 68
20 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.4 eq 443
30 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.86
40 permit tcp 192.168.9.1 0.0.0.127 host 192.168.8.3 eq domain
50 permit tcp 192.168.9.1 0.0.0.127 eq domain host 192.168.8.3
60 permit udp 192.168.9.1 0.0.0.127 host 192.168.8.3 eq domain
70 permit udp 192.168.9.1 0.0.0.127 eq domain host 192.168.8.3
80 deny ip 192.168.9.1 0.0.0.127 host 192.168.8.52
90 deny ip 192.168.9.1 0.0.0.127 192.168.8.0 0.31.255.255
100 permit ip any any

Georg Pauwen · ‎11-07-2017

Hello,

if your software supports it, you could configure a VACL (VLAN Access List). In your case it would look like below:

access-list 100 permit ip 192.168.9.0 0.0.0.127 host 192.168.8.52
access-list 100 permit ip host 192.168.9.127 host 192.168.8.52

!

vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward

!

vlan filter DENY_SERVER vlan-list 1

View solution in original post

Meheretab Mengistu · ‎11-07-2017

Hi,

Did you apply it to the SVI "in" direction?
Please post the output of 'sh run | s access-' if the above couldn't fix it.

HTH,
Meheretab

HTH,
Meheretab

night-fury · ‎11-07-2017

yes i did apply it in the 'IN' direction

interface Vlan1
ip address 192.168.8.1 255.255.252.0
ip access-group abc in
ip helper-address 192.168.8.3
end

Georg Pauwen · ‎11-07-2017

Hello,

if your software supports it, you could configure a VACL (VLAN Access List). In your case it would look like below:

access-list 100 permit ip 192.168.9.0 0.0.0.127 host 192.168.8.52
access-list 100 permit ip host 192.168.9.127 host 192.168.8.52

!

vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward

!

vlan filter DENY_SERVER vlan-list 1

night-fury · ‎11-07-2017

i have never used VACL. however i checked my switch and it does support VACLs. So i am going to try this. one question though, both the server and IP range are in the same VLAN (subnet), will the VACL be able to restrict the access in this case?

and in the below, what does 10, 20 and 1 refer to?

vlan access-map DENY_SERVER 10
match ip address 100
action drop
vlan access-map DENY_SERVER 20
action forward

!

vlan filter DENY_SERVER vlan-list 1

paul driver · ‎11-07-2017

Hello

You can use a RACL instead.

ip access-list extened no-VLAN9

deny ip 192.168.9.0 0.0.127 host 192.168.8.52

permit ip any any

int vlan 8
ip access-group no-VLAN9 OUT

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

night-fury · ‎11-07-2017

hi paul,

i already tried that. my initial post has the ACL entry that you posted. but that did not help. my ACl is applied in the IN direction, not OUT. however the acces sto 192.168.8.52 is not blocked eitherway.

i guess you are assuming that the IP range a nd server are in diff VLANs, but they are in same VLAN. just clarifying.

paul driver · ‎11-07-2017

Hello

In that case you could use a static mac address entry for the server if its the whole vlan you wish to deny

mac-address table static (servers mac address) vlan x drop

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎11-07-2017

Hello,

actually, VACLs are designed exactly for that, to restrict intra-Vlan traffic. The 10 and 20 are just sequence numbers, similar to what you see in route maps.

1 is your Vlan, Vlan 1.

night-fury · ‎11-16-2017

I have a query though, if u can help please.

i have two subnets:

10.10.10.0 255.255.255.0 (LAN-vlan 2) &

20.20.20.0 255.255.255.0 (Wifi - vlan 20)

i want to block access of a few wifi users to a server in LAN VLAN. say, i do not want users with IPs:

20.20.20.8 & 20.20.20.9 to access the server 10.10.10.11

in this case, what would the vlan-list command end with? source vlan (vlan 20) or destination vlan (vlan 2)

access-list 100 permit ip 20.20.20.8 0.0.0.0 host 10.10.10.11
access-list 100 permit ip 20.20.20.9 0.0.0.0 host 10.10.10.11
!
vlan access-map DENY_Srv 10
match ip address 100
action drop
vlan access-map DENY_Srv 20
action forward
!
vlan filter DENY_Srv vlan-list 2 /20

night-fury · ‎11-16-2017

awesome, did what i need exactly !! thanks a ton Georg.

Did not get time to implement it earlier, configured it today.