Re: access restriction

Joe.Mathews · ‎02-14-2013

Hello

I got 5VLANS and need to restrict two servers access to all vlans except Mangement vlan, other servers in the server vlan should be accessible by all vlan

Server are in vlan 12

Server IP 192.168.1.100 & 192.168.1.101

Managment_vlan vlan 14

int vlan 10

description users

ip address 10.10.10.1 255.255.255.0

int vlan 11

description wireless users

ip address 10.10.20.1 255.255.255.0

int vlan 12

description Server

ip address 192.168.1.1 255.255.255.0

inte vlan 13

description Sales

ip address 192.168.2.1 255.255.255.0

interface vlan 14

description Management_Vlan

ip address 192.168.10.1 255.255.255.0

i need assistance in the extended acl to restrict this access

I tested the following acl but didnt work

ip access-list extended SERVER

permit ip 192.168.10.0 0.0.0.255 host 192.168.1.100

permit ip 192.168.10.0 0.0.0.255 host 192.168.1.101

deny ip any host 192.168.1.100

deny ip any host 192.168.1.101

permit ip any any

int vlan 12

description Server

ip address 192.168.1.1 255.255.255.0

ip access-group SERVER in

ip access-group SERVER out

best wishes

Joe

John Blakley · ‎02-14-2013

Are you wanting to allow 192.168.1.100 and .101 to the management vlan only? If so, your acl could look like:

ip access-list ext SERVER

permit ip host 192.168.1.100 192.168.10.0 0.0.0.255

permit ip host 192.168.1.101 192.168.10.0 0.0.0.255

deny ip host 192.168.1.100 any

deny ip host 192.168.1.101 any

permit ip any any

int vlan 12

ip access-group SERVER in

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

johnlloyd_13 · ‎02-14-2013

Hi,

Could you remove 'ip access-group SERVER out' from the SVI?

Note that 1 ACL per interface and per direction rule applies.

Sent from Cisco Technical Support iPhone App