02-14-2013 05:12 AM - edited 03-07-2019 11:43 AM
Hello
I got 5VLANS and need to restrict two servers access to all vlans except Mangement vlan, other servers in the server vlan should be accessible by all vlan
Server are in vlan 12
Server IP 192.168.1.100 & 192.168.1.101
Managment_vlan vlan 14
int vlan 10
description users
ip address 10.10.10.1 255.255.255.0
int vlan 11
description wireless users
ip address 10.10.20.1 255.255.255.0
int vlan 12
description Server
ip address 192.168.1.1 255.255.255.0
inte vlan 13
description Sales
ip address 192.168.2.1 255.255.255.0
interface vlan 14
description Management_Vlan
ip address 192.168.10.1 255.255.255.0
i need assistance in the extended acl to restrict this access
I tested the following acl but didnt work
ip access-list extended SERVER
permit ip 192.168.10.0 0.0.0.255 host 192.168.1.100
permit ip 192.168.10.0 0.0.0.255 host 192.168.1.101
deny ip any host 192.168.1.100
deny ip any host 192.168.1.101
permit ip any any
int vlan 12
description Server
ip address 192.168.1.1 255.255.255.0
ip access-group SERVER in
ip access-group SERVER out
best wishes
Joe
02-14-2013 09:15 AM
Are you wanting to allow 192.168.1.100 and .101 to the management vlan only? If so, your acl could look like:
ip access-list ext SERVER
permit ip host 192.168.1.100 192.168.10.0 0.0.0.255
permit ip host 192.168.1.101 192.168.10.0 0.0.0.255
deny ip host 192.168.1.100 any
deny ip host 192.168.1.101 any
permit ip any any
int vlan 12
ip access-group SERVER in
HTH,
John
*** Please rate all useful posts ***
02-14-2013 09:20 AM
Hi,
Could you remove 'ip access-group SERVER out' from the SVI?
Note that 1 ACL per interface and per direction rule applies.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide