ACL ISSUE

wajid dabir · ‎03-16-2013

i have cisco 4948 as a core switch.it has 2 VLAN.VLAN 1:172.23.0.0/23 $ VLAN 2: 172.23.4.0/23.my all servers is in VLAN 1 and my internet is also in the same VLAN.

1.i want vlan 1 should not communicate with vlan 2 except 2 host.

2.i want vlan 2 user should communicate with only some server of VLAN 1 and internet.

I configured following ACL on VLAN 1 and for VLAN 2...but it is not working.kindly help me to solve this issue.

interface Vlan1
ip access-group DENY in
 ip address 172.25.0.10 255.255.252.0
!
interface Vlan2
ip access-group allow-RBC in
 ip address 172.25.4.5 255.255.252.0
 ip helper-address 172.23.0.70
!
ip route 0.0.0.0 0.0.0.0 172.23.0.70
ip http server
!
ip access-list extended ALLOW-RBC
 permit ip any host 172.23.0.20
 permit ip any host 172.23.0.54
 permit ip any host 172.23.0.69
 permit ip any host 172.23.0.65
 permit ip any host 172.23.0.70
 permit ip any host 172.23.0.14
 permit ip any host 172.23.0.26
 permit ip any host 172.23.0.25
 permit ip any host 172.23.0.11
 permit ip any host 172.23.0.12
 permit ip any host 172.23.0.71
 permit ip any host 172.23.0.02
 permit ip any host 172.23.0.3
 permit ip any host 172.23.0.5
 deny   ip any any
 permit ip any host 172.23.0.10
ip access-list extended DENY
 deny   ip 172.23.0.0 0.0.3.255 172.23.4.0 0.0.3.255
 permit ip 172.23.0.0 0.0.3.255 any
!

Julio Carvajal · ‎03-17-2013

Hello,

1.i want vlan 1 should not communicate with vlan 2 except 2 host.

2.i want vlan 2 user should communicate with only some server of VLAN 1 and internet.

Ip access-list ext Vlan1-in

permit ip any host x.x.x.x ( First Vlan 2 host)

permit ip any host y.y.y.y ( Second Vlan 2 host)

Deny ip any any

Ip access-list ex Vlan2-in

permit ip any host z.z.z.z ( Host vlan1)

deny ip any 172.23.0.0 0.0.1.255

permit ip any any

Interface vlan 1

ip access-group Vlan1-in in

Interface vlan 2

ip access-group Vlan2-in in

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wajid dabir · ‎03-17-2013

Thanks sir for your reply...

in 1st case i mean 2 user of VLAN 1 should communicate with any user of VLAN 2.

and how u calculate

deny ip any 172.23.0.0 0.0.1.255

Julio Carvajal · ‎03-17-2013

Hello Wajid,

1 case

Ip access-list ext Vlan1-in

permit ip host x.x.x.x ( First Vlan 1 host) 172.25.4.0 0.0.3.255

permit ip host y.y.y.y ( Second Vlan1 host) 172.25.4.0 0.0.3.255

Deny ip any any

I calculated wrong , It was to late lastnight ( I should have been sleeping )

It should be

Ip access-list ex Vlan2-in

permit ip any host z.z.z.z ( Host vlan1)

deny ip any 172.23.0.0 0.0.3.255

permit ip any any

Hope that I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wajid dabir · ‎03-18-2013

Dear Sir,

case 2 is not working....

Vlan 2 user not communicating with permit vlan 1 host...

jawad-mukhtar · ‎03-18-2013

Do it like that

Ip access-list ex Vlan2-in

permit ip host x.x.x.x (vlan 2 )host z.z.z.z ( Host vlan1)

deny ip 172.25.4.0 0.0.3.255 172.235.0.0 0.0.3.255

permit ip any any

** Do Rate All Helpful Posts***

Jawad

wajid dabir · ‎03-18-2013

Mukhtar,

i dont think your suggested ACL is correct,because we want appox.70 user from VLAN2 to do communicate with vlan 1 some servers.it makes long ACL for it.

jawad-mukhtar · ‎03-18-2013

Wajid Do it in your best way possible it was example for you.

Thanks.

Jawad

Julio Carvajal · ‎03-18-2013

Hello,

So case 1 is working,

What is case 2 , can you explain it once again????

Just to be sure,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wajid dabir · ‎03-18-2013

case 2 is:VLAN 2 user should communicate with some server which is in VLAN 1 not to other machines of vlan 1.

but after issuing 1st ACL in vlan 1, vlan 2 user only communicating with the permitted user in ACL vlan1-in.

Julio Carvajal · ‎03-18-2013

Vlan 2 user means just one IP.....

Ip access-list ex Vlan2-in

permit ip host x.x.x.x ( Vlan 2 host) host z.z.z.z ( Host vlan1)

deny ip any 172.23.0.0 0.0.1.255

permit ip any any

That should to it, it will only allow communication from one host to one server on the other vlan,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wajid dabir · ‎03-19-2013

no dear,i mean all users of vlan2 should communicate with some server which is in VLAN1....

Julio Carvajal · ‎03-19-2013

case 2 is:VLAN 2 user (Singular) should communicate with some server which is in VLAN 1 not to other machines of vlan 1.

Man I am confused.........

Ok here it goes for the last time

Ip access-list ex Vlan2-in

permit ip host x.x.x.x ( Vlan 2 host) 172.23.0.0 0.0.1.255

deny ip any 172.23.0.0 0.0.1.255

permit ip any any

That's what you are looking for

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC