cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

530
Views
0
Helpful
14
Replies
Participant

ACL should apply in where

i want to apply ACL on my core switch,but i'm not sure it perfect or not.

basically, i want to deny every VLAN on LAN from destination 10.104.101.60, but only 5 IP address from VLAN 1650 able to go to destination

 

interface Vlan1650
description User_5thFloor_Vlan
ip address 10.51.165.2 255.255.255.0
ip helper-address 10.50.162.9
ip helper-address 10.49.228.11
ip dhcp excluded-address 10.51.165.180 & 10.51.165.184
ip access-group TEST xx

 
ip access-list extended TEST
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any

 

if i apply it on VLAN 1650, it will only affect people on VLAN 1650 only right?

how can i apply to all except the allowed IP address

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Re: ACL should apply in where

I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:

 

interface GOINGOUT0/1
ip access-group DENY out


ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any

VIP Advisor

Re: ACL should apply in where

If you take the acl I gave to you it will be applied with IN on the svi of your server host.

 

The acl should be adapted based on if you apply IN or OUT. 

 

OUT --> Traffic TO the vlan 

IN --> Traffic going away FROM the vlan


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
14 REPLIES 14
VIP Advisor

Re: ACL should apply in where

Hi

 

You want to deny every subnets to reach your host 10.104.101.60 except the 5 IPs you gave.

Let's assume your host 10.104.101.60 belongs to vlan 101

I would suggest to create an ACL and attach that ACL on SVI 101:

 

ip access-list extended DENY

 permit ip host 10.104.101.60 host 10.51.165.180

 permit ip host 10.104.101.60 host 10.51.165.181

 permit ip host 10.104.101.60 host 10.51.165.182

 permit ip host 10.104.101.60 host 10.51.165.183

 permit ip host 10.104.101.60 host 10.51.165.184

 deny   ip host 10.104.101.60 any

!

int vlan 101

 ip access-group DENY in

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Mentor

Re: ACL should apply in where

Hello,

 

where is 10.104.101.60 ? Is that part of a VLAN as well ? If so, apply the access list outbound on the interface 10.104.101.60 is connected to...

Participant

Re: ACL should apply in where

10.104.101.60 is not part of the VLAN in my LAN, it is in different country already.

VIP Advisor

Re: ACL should apply in where

Ok then apply the ACL on the interface that routes traffic outside of your network.

Is it a L2L VPN?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: ACL should apply in where

it is not VPN, it is to other ISP router via MPLS line.
should i apply the ACL on that SVI that directly connect to the ISP router ?

does below ACL still valid in apply to this SVI?

 

ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip 10.51.165.0 0.0.0.255 any ********** i'm not to sure of this, will it work, then next is permit all
permit ip any any

Highlighted
Beginner

Re: ACL should apply in where

I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:

 

interface GOINGOUT0/1
ip access-group DENY out


ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any

VIP Advisor

Re: ACL should apply in where

Hi

I added this line deny ip 10.51.165.0 0.0.0.255 any ********** because you wanted to deny other hosts from this subnet to access the network 10.104.101.0/24.

Indeed, after reading your first post you want to deny any subnets to access host 10.104.101.60.
Then the new line instead of that one will be:
deny ip any host 10.104.101.60

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Advisor

Re: ACL should apply in where

Hello

Possibly create two acls and apply them accordingly.

 

vlan 1650

ip access-list extended TEST1
permit ip host 10.104.101.60 host 10.51.165.180  
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any

int vlan 1650
ip access-group TEST1 OUT

other vlans
ip access-list extended TEST2
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any

int vlan xx
ip access-group TEST2 OUT

 

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Participant

Re: ACL should apply in where

Paul,
I have more that 10 VLAN, I don't want to add ACL on every interface VLAN 

VIP Advisor

Re: ACL should apply in where

Hello

Just realized is this host is external to your LAN?

 

If so you could apply an acl on the wan interface to negate  access by this host.

 

ip access-list extended TEST
permit ip host 10.104.101.60 host 10.51.165.180  
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip host 10.104.101.60 any 
permit ip any any

int xxx
description WAN
ip access-group TEST IN


 

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Participant

Re: ACL should apply in where

now it make me wonder..
ip access-group TEST [IN or OUT]

 

i always confuse with this?? it should IN or OUT to apply at Interface

VIP Advisor

Re: ACL should apply in where

If you take the acl I gave to you it will be applied with IN on the svi of your server host.

 

The acl should be adapted based on if you apply IN or OUT. 

 

OUT --> Traffic TO the vlan 

IN --> Traffic going away FROM the vlan


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Advisor

Re: ACL should apply in where

Hello
I guess that would be correct for RACL applied to SVIs but not for routed interfaces

Res
Paul


kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
VIP Advisor

Re: ACL should apply in where

Hello

IN - ingress - inwards from outside network

OUT - egress - outwards from inside network

Think of a door to a room and your stood their allowing people in or out

IN = allow them in
OUT = allow them out

Res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards