Solved: Re: ACL on Cisco Switch to isolate machines

cecodoorit · ‎09-25-2017

I am trying to isolate a host on our network to only see the server, and isolate it from everything else on the network. PCA is 10.10.10.2 Server is 10.10.10.5 I need the server to communicate with PCA and all other devices, but need PCA to only communicate with the Server. I am using a 3750x switch, both are on the same vlan. I tried using an acl on the interface that pca is connected to :

access-list 5 permit 10.10.10.5 0.0.0.0

interface gi2/0/11 (interface where pca connects)

ip access-group 5 in

with a contstan ping going, when I apply the access group, i lose connection to pca from everything including the server in the permit statement.

Is there a better approach? thanks in advance

Seb Rupik · ‎09-25-2017

Hi there,

As you had it, your ACL was only permitting traffic sourced from 10.10.10.5 (the server), it would not of had the desired effect.

Replace it with:

!
ip access-list ext PCA_LIMIT
  permit ip host 10.10.10.2 host 10.10.10.5
!
int gi2/0/11
  ip access-group PCA_LIMIT in
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-25-2017

Hi there,

As you had it, your ACL was only permitting traffic sourced from 10.10.10.5 (the server), it would not of had the desired effect.

Replace it with:

!
ip access-list ext PCA_LIMIT
  permit ip host 10.10.10.2 host 10.10.10.5
!
int gi2/0/11
  ip access-group PCA_LIMIT in
!

cheers,

Seb.

cecodoorit · ‎09-25-2017

ok I tested the below, and that seems to work, however if I add another permit statement then I lose the ping from the original server AND the secondary permit device.

access-list 110 permit IP host (ip of device) host (ip of server)

pings from the server fine, and drops pings from other devices (this is what I want)

adding the below

access-list 110 permit IP host (ip of device) host (ip of 2nd server)

causes the ping to fail on the first server and all devices, as well as unable to ping from 2nd server

Seb Rupik · ‎09-25-2017

Strange. Please provide the output from sh access-list

cheers,

Seb.

cecodoorit · ‎09-25-2017

Sorry, I was using the wrong access-list identifier on the second statement

It is working, thank you for the assist

Julio E. Moisa · ‎09-25-2017

Hi

If they are over the same vlan, you could use switchport protected. Please check this link:

https://learningnetwork.cisco.com/thread/31691

There are other ways like private vlan, but it could be more complex.

Now your ACL at simple sight will block the rest of the traffic, you need to specify that it will allow everything else:

access-list 5 deny host 10.10.10.5
access-list 5 permit any

interface gi2/0/11

ip access-group 5 in

In order to see if it is working, you can execute: show access-list 5 (you will see hits)

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

cecodoorit · ‎09-25-2017

Julio,

I am not looking to block the .5 and allow everything else, but just the opposite, allow communication between the .2 and .5 and nothing else.

Seb,

I am waiting on the device to come online so I can test your suggestion. It is at a remote location. I will update after I test.

Thank you to both of you for your suggestions