12-18-2017 06:28 AM - edited 06-23-2020 12:38 AM
12-19-2017 09:37 AM
I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:
interface GOINGOUT0/1
ip access-group DENY out
ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any
12-20-2017 05:32 AM
If you take the acl I gave to you it will be applied with IN on the svi of your server host.
The acl should be adapted based on if you apply IN or OUT.
OUT --> Traffic TO the vlan
IN --> Traffic going away FROM the vlan
12-18-2017 07:11 AM
Hi
You want to deny every subnets to reach your host 10.104.101.60 except the 5 IPs you gave.
Let's assume your host 10.104.101.60 belongs to vlan 101
I would suggest to create an ACL and attach that ACL on SVI 101:
ip access-list extended DENY
permit ip host 10.104.101.60 host 10.51.165.180
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip host 10.104.101.60 any
!
int vlan 101
ip access-group DENY in
12-18-2017 07:12 AM
Hello,
where is 10.104.101.60 ? Is that part of a VLAN as well ? If so, apply the access list outbound on the interface 10.104.101.60 is connected to...
12-18-2017 07:14 AM
10.104.101.60 is not part of the VLAN in my LAN, it is in different country already.
12-18-2017 07:16 AM
12-19-2017 08:03 AM - edited 12-19-2017 08:05 AM
it is not VPN, it is to other ISP router via MPLS line.
should i apply the ACL on that SVI that directly connect to the ISP router ?
does below ACL still valid in apply to this SVI?
ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip 10.51.165.0 0.0.0.255 any ********** i'm not to sure of this, will it work, then next is permit all
permit ip any any
12-19-2017 09:37 AM
I think your configuration should be on the port (could be connected to the ISP router) which is used for traffic going out to your ISP:
interface GOINGOUT0/1
ip access-group DENY out
ip access-list extended DENY
permit ip host 10.51.165.180 host 10.104.101.60
permit ip host 10.51.165.181 host 10.104.101.60
permit ip host 10.51.165.182 host 10.104.101.60
permit ip host 10.51.165.183 host 10.104.101.60
permit ip host 10.51.165.184 host 10.104.101.60
deny ip any host 10.104.101.60
permit ip any any
12-19-2017 02:30 PM
12-19-2017 06:02 PM - edited 12-19-2017 06:02 PM
Hello
Possibly create two acls and apply them accordingly.
vlan 1650
ip access-list extended TEST1
permit ip host 10.104.101.60 host 10.51.165.180
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any
int vlan 1650
ip access-group TEST1 OUT
other vlans
ip access-list extended TEST2
deny ip 10.51.165.0 0.0.0.255 any
permit ip any any
int vlan xx
ip access-group TEST2 OUT
res
Paul
12-19-2017 06:30 PM
Paul,
I have more that 10 VLAN, I don't want to add ACL on every interface VLAN
12-20-2017 02:12 AM - edited 12-20-2017 02:14 AM
Hello
Just realized is this host is external to your LAN?
If so you could apply an acl on the wan interface to negate access by this host.
ip access-list extended TEST
permit ip host 10.104.101.60 host 10.51.165.180
permit ip host 10.104.101.60 host 10.51.165.181
permit ip host 10.104.101.60 host 10.51.165.182
permit ip host 10.104.101.60 host 10.51.165.183
permit ip host 10.104.101.60 host 10.51.165.184
deny ip host 10.104.101.60 any
permit ip any any
int xxx
description WAN
ip access-group TEST IN
res
Paul
12-20-2017 05:25 AM - edited 06-23-2020 12:45 AM
12-20-2017 05:32 AM
If you take the acl I gave to you it will be applied with IN on the svi of your server host.
The acl should be adapted based on if you apply IN or OUT.
OUT --> Traffic TO the vlan
IN --> Traffic going away FROM the vlan
12-20-2017 07:12 AM
12-20-2017 07:06 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: