01-30-2019 06:53 AM - edited 03-08-2019 05:11 PM
I want to deny all hosts in VLAN 60 to access VLAN 80 for webservices. All other traffic must be permitted.
My subnet address for VLAN 60 is 10.20.200.64/28
My subnet address for VLAN 80 is 10.20.203.0/23
My commands are :
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq www
access-list 150 permit tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq telnet
int fa0/0.80
ip access-group 150 in
will this work?
Solved! Go to Solution.
01-30-2019 07:18 AM
Hello,
Please, note that 10.20.203.0/23 is not valid network address. It's a host address in the network 10.20.202.0/23
So, appropriate wildcard mask will be 10.20.202.0 0.0.1.255
Access-list, which you mentioned, based on traffic direction and source/destination IP addresses, should be applied whether to interface in VLAN60 "in" direction, or interface in VLAN80 "out" direction. First option is preferred, since traffic will be dropped earlier. But it might depend on other existing rules.
So, config would be:
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any
int fa0/0.60 --> or other appropriate interface
ip access-group 150 in
OR:
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any
int fa0/0.80
ip access-group 150 out
01-30-2019 06:56 AM
You will also need these two lines:
! access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq 443 access-list 150 permit ip any any !
cheers,
Seb.
01-30-2019 06:57 AM
01-30-2019 07:18 AM
Hello,
Please, note that 10.20.203.0/23 is not valid network address. It's a host address in the network 10.20.202.0/23
So, appropriate wildcard mask will be 10.20.202.0 0.0.1.255
Access-list, which you mentioned, based on traffic direction and source/destination IP addresses, should be applied whether to interface in VLAN60 "in" direction, or interface in VLAN80 "out" direction. First option is preferred, since traffic will be dropped earlier. But it might depend on other existing rules.
So, config would be:
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any
int fa0/0.60 --> or other appropriate interface
ip access-group 150 in
OR:
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any
int fa0/0.80
ip access-group 150 out
02-02-2019 03:03 AM
Thank you so much it was very helpful.
01-30-2019 07:26 AM
Excellent spot !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide