09-21-2012 01:16 AM - edited 03-07-2019 09:00 AM
Hi All,
I have two vlan on Switch with SVIs, One is Server vlan (Vlan 10) other is User vlan (Van 20), Now i want to just allow SSH/WEB traffice from Server and RST/ACK for outgoing traffic from Server Vlan.
Please find the config for vlans
Vlan 10
ip add 10.10.10.1 255.255.255.0
Vlan 20
ip add 20.20.20.1 255.255.255.0
ip access-list extended VLAN10-SSH/WEB-IN
permit tcp 20.20.20.0 0 0.0.255 10.10.10.0 0.0.0.255 eq 22
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 443
ip access-list extended VLAN10-RST/ACK-OUT
permit tcp any any established
i want to apply on server vlan (Vlan10)
int vlan 10
ip access-group VLAN10-SSH/WEB-IN -- ?? - what should be direction
ip access-group VLAN10-RST/ACK-OUT -- ?? what should be direction
Thansk in advance
Jagdev
09-21-2012 01:29 AM
Hi Jagdev,
interface vlan 10
ip access-group VLAN10-RST/ACK-OUT
If you think of yourself being IN the router, then when servers send traffic out onto the network, they send it to their default gateway, which is the SVI, therefore this comes to you INBOUND, and vice versa, when clients from another subnet send to servers, it comes to another SVI first, then goes OUTBOUND towards servers.
The acl would need to be an extended acl also, coz you specify the source ip's.
please rate if this helps.
thanks
09-21-2012 01:35 AM
Hi Amrinder
Thanks for you reply, You mean for direction should be like this
int vlan 10
ip access-group VLAN10-SSH/WEB-IN -- out
ip access-group VLAN10-RST/ACK-OUT -- in
Thanks
Jagdev
09-21-2012 01:45 AM
hi ,
just
ip access-group VLAN10-SSH/WEB-IN -- out
becasue you are not blocking any incoming traffic.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide