Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
487
Views
0
Helpful
11
Replies

ACL question

Go to solution
glodynto1
Level 1
Level 1

‎03-07-2025 09:00 AM

Hi all,

 

I'm fooling around with ACLs in my lab and had a question. I'm trying to use a standard access-list to permit only a number of hosts to another group of hosts over specific ports. I've created object groups and reference them in the ACL. When I add a permit any at the end of the ACL and try to apply the ACL to the interface where the Web-IPs reside, hosts outside of the group ADMIN-SERVERS I created are still able to talk to the hosts in the Web-IPs group. When I remove the permit any, I am unable to get to other hosts outside of Web-IPs group that are on the same network. this is my config so far

ip access-list SERVER-ADMIN
10 permit tcp addrgroup ADMIN-SERVERS addrgroup Web-IPs eq 443 log
20 permit tcp addrgroup ADMIN-SERVERS addrgroup Web-IPs eq 22 log
30 deny tcp any addrgroup Web-IPs eq 443
40 deny tcp any addrgroup Web-IPs eq 22

object-group ip address ADMIN-SERVERS
10 host 10.19.152.6
20 host 10.19.152.7
object-group ip address Web-IPs
10 host 10.19.2.100
20 host 10.19.2.101
30 host 10.19.2.102

interface Vlan2
ip access-group SERVER-ADMIN in
no shutdown
no ip redirects
ip address 10.19.2.2/24

Just wanted some input on whether I was misconfiguring the ACL or how it is being applied. Essentially just want the IPs in the SERVER-ADMIN group to be able to communicate on 443 and 22 to the IPs in the Web-IPs group - while also allowing other hosts in the same network (10.19.2.0/24) to be reachable normally. Let me know if I can be more clear on some of the details. Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-17-2025 06:05 PM - edited ‎03-17-2025 06:08 PM

Let me try to be more explicit.

ip access-list SERVER-ADMIN
10 permit tcp addrgroup ADMIN-SERVERS addrgroup Web-IPs eq 443 log

would create an ACL like(?):

permit tcp host 10.19.152.6 host 10.19.2.100 eq 443 log

VLAN 2 is subnet 10.19.2.0/24

Applied as an IN, the source subnet is 10.19.2.0/24, but the ACL has 10.19.2.100/32 as the destination parameter!

Also, if ADMIN hosts are opening the contact with SERVERS hosts, the known port would be on the initial destination

permit tcp host 10.19.2.100 host 10.19.152.6 eq 443 log

So possibly, you need:

ip access-list SERVER-ADMIN-IN
 permit tcp addrgroup Web-IPs addrgroup ADMIN-SERVERS eq 443 log
 permit tcp addrgroup Web-IPs addrgroup ADMIN-SERVERS eq 22 log

ip access-list SERVER-ADMIN-OUT
 deny tcp any addrgroup Web-IPs eq 443
 deny tcp any addrgroup Web-IPs eq 22

!above denies redundant because of implicit ending ACE, deny any any

interface Vlan2
ip access-group SERVER-ADMIN-IN in
ip access-group SERVER-ADMIN-OUT out
ip address 10.19.2.2/24

 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
M02@rt37
VIP
VIP

‎03-07-2025 11:36 AM

Hello @glodynto1 

In your case, because all "Web-IPs" and other hosts in 10.19.2.0/24 are in the same VLAN, their trafic does not need to go through the SVI unless they are communicating with another subnet. That means your ACL won't affect host-to-host communication within the VLAN...

To enforce restrictions at Layer 2 (mean same vlan host 2 host control) use a VACL (Vlan Access Control List).

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
glodynto1
Level 1
Level 1
In response to M02@rt37

‎03-10-2025 06:23 AM

The Web-IPs hosts are in the 10.19.0/24 vlan (let's say its vlan 2) while the admin servers are on the 10.19.152.0/24 vlan (let's say its vlan 152). I'm essentially trying to get a handful of hosts on vlan 2 only be reachable from a handful of hosts on vlan 152 using this ACL, so I don't believe it's host-to-host communication in the same vlan, unless I am misunderstanding something

0 Helpful

Go to solution
krmp010608
Level 1
Level 1

‎03-07-2025 03:06 PM

From the flow it seems that the ACL is applied incorrectly, you can provide the output of the command:

show ip route 10.19.152.6

0 Helpful

Go to solution
glodynto1
Level 1
Level 1
In response to krmp010608

‎03-10-2025 06:30 AM

These hosts are directly connected to the same switch just on different vlans

so the sh ip route output doesn't yield

sh ip route 10.19.152.6
10.19.152.6/32, ubest/mbest: 1/0, attached
*via 10.19.152.6, Vlan152, [250/0], 3d00h

I thought simply adding an access-list to the SVI for vlan 2 saying only these hosts on vlan 152 are permitted to these specific hosts on vlan 2 would suffice

0 Helpful

Go to solution
krmp010608
Level 1
Level 1
In response to glodynto1

‎03-10-2025 07:04 AM

Can you send the switch configuration?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-10-2025 06:35 AM

Try

interface Vlan2

ip access-group SERVER-ADMIN out

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎03-10-2025 10:12 AM - edited ‎03-10-2025 10:24 AM

Oops, my prior reply won't work because you're also using ports, so try, in your ACEs, reversing the dst and src address parameters, not ports, (while continuing to use in).

0 Helpful

Go to solution
krmp010608
Level 1
Level 1

‎03-10-2025 07:18 AM

The configured ACLs are extended ACLs and it is recommended to apply them as close to the source as possible, you can do the following: 

interface Vlan2
no ip access-group SERVER-ADMIN in

interface Vlan 152
ip access-group SERVER-ADMIN in

0 Helpful

Go to solution
glodynto1
Level 1
Level 1
In response to krmp010608

‎03-17-2025 06:08 AM

I tried applying it to vlan 152 instead since that is closest to the source but seem to have the same behavior, I'm able to access the Web-IPs from hosts outside of the list of admin servers

0 Helpful

Go to solution
krmp010608
Level 1
Level 1
In response to glodynto1

‎03-17-2025 11:33 AM

From which specific IP can you access?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-17-2025 06:05 PM - edited ‎03-17-2025 06:08 PM

Let me try to be more explicit.

ip access-list SERVER-ADMIN
10 permit tcp addrgroup ADMIN-SERVERS addrgroup Web-IPs eq 443 log

would create an ACL like(?):

permit tcp host 10.19.152.6 host 10.19.2.100 eq 443 log

VLAN 2 is subnet 10.19.2.0/24

Applied as an IN, the source subnet is 10.19.2.0/24, but the ACL has 10.19.2.100/32 as the destination parameter!

Also, if ADMIN hosts are opening the contact with SERVERS hosts, the known port would be on the initial destination

permit tcp host 10.19.2.100 host 10.19.152.6 eq 443 log

So possibly, you need:

ip access-list SERVER-ADMIN-IN
 permit tcp addrgroup Web-IPs addrgroup ADMIN-SERVERS eq 443 log
 permit tcp addrgroup Web-IPs addrgroup ADMIN-SERVERS eq 22 log

ip access-list SERVER-ADMIN-OUT
 deny tcp any addrgroup Web-IPs eq 443
 deny tcp any addrgroup Web-IPs eq 22

!above denies redundant because of implicit ending ACE, deny any any

interface Vlan2
ip access-group SERVER-ADMIN-IN in
ip access-group SERVER-ADMIN-OUT out
ip address 10.19.2.2/24

 

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top