Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
2
Replies

ACL and SVI

Go to solution
fondationces
Level 1
Level 1

‎10-05-2011 03:22 AM - edited ‎03-07-2019 02:37 AM

Hi everyone,

There is a schema about what I would like to do :

http://www.casimages.com/img.php?i=111005120451502784.jpg

To resume, I would like to know if it's possible to create one/some ACLs that would allow me to :

from B to A, only HTTPS, SSH and ICMP

from A to B, nothing except reply to HTTPS, SSH and ICMP request.

Reflexive ACL are not available on my platform (4506 sup 7 E).

A and B are on differents Vlan, each vlan has an SVI.

If you have any idea, I would appreciate it

Thanks

Alex.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-05-2011 03:53 AM

Alex

Reflexive acls are the way to go as you say but because you have specific ports only you can use standard acls eg.

A = 192.168.5.0/24  - vlan 10

B = 192.168.6.0/24 - vlan 11

access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 443

access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 22

access-list 101 permit icmp 192.168.6.0 0.0.0.255  192.168.5.0 0.0.0.255 echo-request

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 443 192.168.6.0 0.0.0.255

access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 22 192.168.6.0 0.0.0.255

access-list 102 permit icmp 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 echo-reply

access-list 102 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

int vlan 10

ip access-group 102 in

int vlan 11

ip access-group 101 in

bear in mind if you want traffic from either vlan 10 or 11 to go to other subnets you will need to permit these at the end of the acl or use a permit ip any any catchall

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-05-2011 03:53 AM

Alex

Reflexive acls are the way to go as you say but because you have specific ports only you can use standard acls eg.

A = 192.168.5.0/24  - vlan 10

B = 192.168.6.0/24 - vlan 11

access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 443

access-list 101 permit tcp 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 22

access-list 101 permit icmp 192.168.6.0 0.0.0.255  192.168.5.0 0.0.0.255 echo-request

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 443 192.168.6.0 0.0.0.255

access-list 102 permit tcp 192.168.5.0 0.0.0.255 eq 22 192.168.6.0 0.0.0.255

access-list 102 permit icmp 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 echo-reply

access-list 102 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

int vlan 10

ip access-group 102 in

int vlan 11

ip access-group 101 in

bear in mind if you want traffic from either vlan 10 or 11 to go to other subnets you will need to permit these at the end of the acl or use a permit ip any any catchall

Jon

0 Helpful

Go to solution
fondationces
Level 1
Level 1
In response to Jon Marshall

‎10-05-2011 08:56 AM

Thank you very much Jon, it's working fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card