Solved: Hello!Yours ACLs configured

Navaz Wattoo · ‎01-09-2015

Requirement:- I need to permit only 172.16.71.40 and 172.16.50.0 to reach the server 192.168.10.210. Measn all other host block to access this server. This server exist int VLAN 40 and VLAN 40 have also others servers

I configure this belwo ACL but its not working. Please need someone to help me. Thanks

Switch(config)# ip access-list extended PERMIT

Switch(config-ext-nacl)# permit tcp host 172.16.71.40 host 192.168.10.210 eq any

Switch(config-ext-nacl)# permit tcp 172.16.50.0 0.0.0.255 host 192.168.10.210 eq any

Switch(config-ext-nacl)# exit

Switch(config)# ip access-list extended DENY

Switch(config)# deny tcp host 192.168.10.210 host 172.16.71.0

Switch(config)# ip access-list extended PERMIT_ALL

Switch(config-ext-nacl)# permit ip any any

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address PERMIT

Switch(config-access-map)# action forward

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address DENY

Switch(config-access-map)# action drop

Switch(config)# vlan access-map map2 30

Switch(config-access-map)# match ip address PERMIT_ALL

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Navaz

Jon Marshall · ‎01-19-2015

Is this last post a response to my post ?

If it is then you haven't read my post.

Compare my acl with yours. Mine is a lot shorter.

Also the direction the acl is applied in is different ie. you have applied it inbound.

Try the configuration as I suggested and see if it works.

Jon

View solution in original post

denis.kulakov · ‎01-09-2015

Hello!

Yours ACLs configured with only TCP traffic inspect.

ip access-list extendet PERMIT

permit ip host 172.16.71.40 host 192.168.10.210

permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210

Navaz Wattoo · ‎01-11-2015

Thanks denis.kulakov

as per your i configured the below please check this

Switch(config)# ip access-list extended PERMIT

Switch(config-ext-nacl)# permit ip host 172.16.71.40 host 192.168.10.210 eq any

Switch(config-ext-nacl)# permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210 eq any

Switch(config-ext-nacl)# exit

Switch(config)# ip access-list extended DENY

Switch(config)# deny ip host 192.168.10.210 host 172.16.71.0

Switch(config)# ip access-list extended PERMIT_ALL

Switch(config-ext-nacl)# permit ip any any

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address PERMIT

Switch(config-access-map)# action forward

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address DENY

Switch(config-access-map)# action drop

Switch(config)# vlan access-map map2 30

Switch(config-access-map)# match ip address PERMIT_ALL

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Navaz

denis.kulakov · ‎01-12-2015

Hello!

You don't need type "eq any" at of string.

Switch(config)# ip access-list extended PERMIT

Switch(config-ext-nacl)# permit ip host 172.16.71.40 host 192.168.10.210

Switch(config-ext-nacl)# permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)# exit

Switch(config)# ip access-list extended DENY

Switch(config-ext-nacl)# permit ip 172.16.71.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address PERMIT

Switch(config-access-map)# action forward

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address DENY

Switch(config-access-map)# action drop

Switch(config)# vlan access-map map2 30

Switch(config-access-map)# match ip address PERMIT_ALL

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

try this

Navaz Wattoo · ‎01-12-2015

Thanks for the reply but its not working.

Requirments:- is this the subnet 172.16.50.0/24 and host 172.16.71.40/24 can only access to 192.168.10.210 but not other machines that are exist in this vlan having subnets 192.168.10.254.

and some other subnets 172.16.81.0,172.16.31.0,172.16.41.0 are access the different machines that are exist in this vlan 192.168.10.254.

Navaz

denis.kulakov · ‎01-12-2015

And what is your network topology?

Navaz Wattoo · ‎01-12-2015

Please find the diagram

Navaz

denis.kulakov · ‎01-12-2015

Are IP address SW2 and HUB2 and HUB1 is matching?

1. Switch(config)# ip access-list extended PERMIT

Switch(config-ext-nacl)# permit ip host 172.16.71.40 host 192.168.10.210

Switch(config-ext-nacl)# permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#permit ip 172.16.81.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 172.16.41.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)# exit

2. Switch(config)# ip access-list extended DENY

Switch(config-ext-nacl)# permit ip host 172.16.71.40 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 172.16.50.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)# exit

3. Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address PERMIT

Switch(config-access-map)# action forward

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address DENY

Switch(config-access-map)# action drop

4. Switch(config)# vlan filter map2 vlan-list [number of 192.168.10.0 vlan]

Please try this conf

denis.kulakov · ‎01-12-2015

Hello!

You can reach your goal with only 1 ACL:

Switch(config)# ip access-list extended PERMIT
Switch(config-ext-nacl)#permit ip host 172.16.71.40 host 192.168.10.210
Switch(config-ext-nacl)#permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210
Switch(config-ext-nacl)#permit ip 172.16.34.0 0.0.0.255 192.168.10.0 0.0.0.255
Switch(config-ext-nacl)#permit ip 172.16.81.0 0.0.0.255 192.168.10.0 0.0.0.255
Switch(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
Switch(config-ext-nacl)#deny ip any any

Switch(config-ext-nacl)#exit

C1, C2 and C3 gateway is HUB ip address 172.16.X.253

SRV gateway is 192.168.10.254 and on SW2 interface VLAN (192.168.10.0) ip address 192.168.10.254.

you just need apply ACL Permit on vlans interfaces os SW2:

Switch(config)#int vlan (81, 34, 50, 71)

Switch(config-if)#ip access-group PERMIT in

Please try

Navaz Wattoo · ‎01-12-2015

Thanks denis.kulakov for the reply

Requirement:-

1. I have multiple servers having different IP,s

192.168.10.10

192.168.10.24

192.168.10.97

192.168.10.210

192.168.10.247

and the clients subnets having different vlan

172.16.16.0

172.16.41.0

172.16.71.0

172.16.81.0

172.16.50.0

172.16.100.0

Requirment:- 1. is that the server having ip 192.168.10.97 and 192.168.10.210 is accessble from the 172.16.50.0 and host 172.16.71.40.

And all other subnets not accessble these tow servers(192.168.10.97 and 192.168.10.210).

Requirment:- 2. is that all the server accessible from all the subnets.

Navaz

denis.kulakov · ‎01-12-2015

Hello!

Switch(config)# ip access-list extended PERMIT
Switch(config-ext-nacl)#permit ip host 172.16.71.40 host 192.168.10.210

Switch(config-ext-nacl)#permit ip host 172.16.71.40 host 192.168.10.97
Switch(config-ext-nacl)#permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#permit ip 172.16.50.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.16.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.16.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.41.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.41.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.71.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.71.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.81.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.81.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 host 192.168.10.97
Switch(config-ext-nacl)#permit ip 172.16.16.0 0.0.0.255 192.168.10.0 0.0.0.255
Switch(config-ext-nacl)#permit ip 172.16.41.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 172.16.71.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 172.16.81.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 172.16.100.0 0.0.0.255 192.168.10.0 0.0.0.255
Switch(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255
Switch(config-ext-nacl)#deny ip any any

Switch(config-ext-nacl)#exit

Switch(config)#interface vlan X

Switch(config-if)#ip access-group PERMIT in

You can apply this ACL for each VLAN interface except 192.168.10.254 or you can create ACL for each interface. For example:

Switch(config)#ip acces-list extented VLAN81

Switch(config-ext-nacl)#deny ip 172.16.81.0 0.0.0.255 host 192.168.10.210

Switch(config-ext-nacl)#deny ip 172.16.81.0 0.0.0.255 host 192.168.10.97

Switch(config-ext-nacl)#permit ip 172.16.81.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

Switch(config-ext-nacl)#deny ip any any

Switch(config-ext-nacl)#exit

Switch(config)#interface vlan 81

Switch(config-if)#ip access-group VLAN81 in

or

Switch(config)#ip acces-list extented VLAN71

Switch(config-ext-nacl)#permit ip 172.16.71.40 host 192.168.10.210

Switch(config-ext-nacl)#permit ip 172.16.71.40 host 192.168.10.97

Switch(config-ext-nacl)#deny ip 172.16.71.0 0.0.0.255 192.168.10.0 0.0.0.255

Switch(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

Switch(config-ext-nacl)#deny ip any any

Switch(config-ext-nacl)#exit

Switch(config)#interface vlan 71

Switch(config-if)#ip access-group VLAN71 in

Navaz Wattoo · ‎01-13-2015

At each vlan it needs to be implement.

Navaz

denis.kulakov · ‎01-13-2015

Is tehe SW2 layer 3 switch? who is the router?

Navaz Wattoo · ‎01-13-2015

SW2 is layer switch and hub is layer2.

Navaz

Jon Marshall · ‎01-13-2015

Your diagram is confusing because you have the same vlan IPs on different switches.

Is this just a lab ?

If so then -

ip access-list extended PERMIT
permit ip 172.16.50.0 0.0.0.255 host 192.168.10.97
permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210
permit ip host 172.16.71.40 host 192.168.10.97
permit ip host 172.16.71.40 host 192.168.10.210
deny ip any host 192.168.10.97
deny ip any host 192.168.10.210
permit ip any any

then apply this acl to the server interface vlan on SW2 ie.

int vlan <x> <-- this is the server vlan
ip address 192.168.10.x <subnet mask>
ip access-group PERMIT out

Note the example Denis gave uses acls applied inbound on each client vlan as opposed to what i have suggested. Normally it is considered best practice to filter traffic closest to the source so using inbound acls makes sense but as all the SVIs (vlan interfaces) are on the same switch it makes no real difference here and it means you can just use one acl applied to just the server vlan.

Up to you really.

Jon

Extended ACL