Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2694
Views
0
Helpful
21
Replies

Extended ACL

Go to solution
Navaz Wattoo
Level 1
Level 1

‎01-09-2015 06:23 AM - edited ‎03-07-2019 10:09 PM

 

Requirement:- I need to permit only 172.16.71.40 and 172.16.50.0 to reach the server 192.168.10.210. Measn all other host block to access this server. This server exist int VLAN 40 and VLAN 40 have also others servers

I configure this belwo ACL but its not working. Please need someone to help me. Thanks

 

Switch(config)# ip access-list extended PERMIT

Switch(config-ext-nacl)# permit tcp host 172.16.71.40 host 192.168.10.210 eq any

Switch(config-ext-nacl)# permit tcp 172.16.50.0 0.0.0.255 host 192.168.10.210 eq any

Switch(config-ext-nacl)# exit

 

Switch(config)# ip access-list extended DENY

Switch(config)# deny tcp host 192.168.10.210 host 172.16.71.0  

 

Switch(config)# ip access-list extended PERMIT_ALL

Switch(config-ext-nacl)# permit ip any any

 

 

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address PERMIT

Switch(config-access-map)# action forward

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address DENY

Switch(config-access-map)# action drop

Switch(config)# vlan access-map map2 30

Switch(config-access-map)# match ip address PERMIT_ALL

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Navaz
Labels:
0 Helpful
21 Replies 21

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Jon Marshall

‎01-13-2015 10:15 PM

Thanks for the reply

I again attached a diagram please review this

Navaz
Preview file
56 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Navaz Wattoo

‎01-14-2015 02:00 AM

Have you tried the configuration I suggested ?

Jon

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Jon Marshall

‎01-18-2015 09:20 PM

I applied this ACl as per your instruction but it denies all the other servers exist in vlan 40. like 192.168.10.10, 192.168.10.24, 192.168.10.36.

 

ip access-list extended PERMIT
permit ip host 172.16.71.140 host 192.168.10.210
permit ip host 172.16.71.140 host 192.168.10.97
permit ip 172.16.50.0 0.0.0.255 host 192.168.10.210
permit ip 172.16.50.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.10.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.10.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.11.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.12.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.13.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.14.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.11.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.12.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.13.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.14.0 0.0.0.255 host 192.168.10.210


deny ip 172.16.21.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.22.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.23.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.24.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.21.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.22.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.23.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.24.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.31.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.32.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.33.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.34.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.31.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.32.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.33.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.34.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.41.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.41.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.71.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.72.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.73.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.74.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.71.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.72.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.73.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.74.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.81.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.82.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.83.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.84.0 0.0.0.255 host 192.168.10.97

deny ip 172.16.81.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.82.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.83.0 0.0.0.255 host 192.168.10.210
deny ip 172.16.84.0 0.0.0.255 host 192.168.10.210

deny ip 172.16.100.0 0.0.0.255 host 192.168.10.97
deny ip 172.16.100.0 0.0.0.255 host 192.168.10.210

deny ip any any

exit

 

Switch(config)#interface vlan 40

Switch(config-if)#ip access-group PERMIT in

Navaz
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Navaz Wattoo

‎01-19-2015 04:59 AM

Is this last post a response to my post ?

If it is then you haven't read my post.

Compare my acl with yours. Mine is a lot shorter.

Also the direction the acl is applied in is different ie. you have applied it inbound.

Try the configuration as I suggested and see if it works.

Jon

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Jon Marshall

‎01-19-2015 09:55 PM

Thanks its working

Navaz
0 Helpful

Go to solution
denis.kulakov
Level 1
Level 1
In response to Navaz Wattoo

‎01-12-2015 01:30 AM

Aru you apply ACL to VLAN?

     Switch(config)# vlan filter map2 vlan-list [vlan number]

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to denis.kulakov

‎01-12-2015 03:04 AM

i think need to apply at vlan

am i right

Navaz
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card