Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
5
Helpful
5
Replies

How to deny all hosts in one vlan from reaching hosts in another vlan just for web services?

Go to solution
NandaK
Level 1
Level 1

‎01-30-2019 06:53 AM - edited ‎03-08-2019 05:11 PM

I want to deny all hosts in VLAN  60 to access VLAN 80 for webservices. All other traffic must be permitted. 

 

My subnet address for VLAN 60 is 10.20.200.64/28

My subnet address for VLAN 80 is 10.20.203.0/23     

 

My commands are :

 

access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq www
access-list 150 permit tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq telnet
int fa0/0.80
ip access-group 150 in

 

will this work?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vb10
Level 1
Level 1

‎01-30-2019 07:18 AM

Hello,

Please, note that 10.20.203.0/23 is not valid network address. It's a host address in the network 10.20.202.0/23

So, appropriate wildcard mask will be 10.20.202.0 0.0.1.255

 

Access-list, which you mentioned, based on  traffic direction and source/destination IP addresses, should be applied whether to interface in VLAN60 "in" direction, or interface in VLAN80 "out" direction. First option is preferred, since traffic will be dropped earlier. But it might depend on other existing rules.

 

 

So, config would be:

 

access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any

 

int fa0/0.60 --> or other appropriate interface
ip access-group 150 in

 

OR:

 

access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any

 

int fa0/0.80
ip access-group 150 out

 

 

View solution in original post

5 Replies 5

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-30-2019 06:56 AM

You will also need these two lines:

!
access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.203.0 0.0.1.255 eq 443
access-list 150 permit ip any any
!

cheers,

Seb.

 

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎01-30-2019 06:57 AM

you need to set the acl outbound too as well as inbound
0 Helpful

Go to solution
vb10
Level 1
Level 1

‎01-30-2019 07:18 AM

Hello,

Please, note that 10.20.203.0/23 is not valid network address. It's a host address in the network 10.20.202.0/23

So, appropriate wildcard mask will be 10.20.202.0 0.0.1.255

 

Access-list, which you mentioned, based on  traffic direction and source/destination IP addresses, should be applied whether to interface in VLAN60 "in" direction, or interface in VLAN80 "out" direction. First option is preferred, since traffic will be dropped earlier. But it might depend on other existing rules.

 

 

So, config would be:

 

access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any

 

int fa0/0.60 --> or other appropriate interface
ip access-group 150 in

 

OR:

 

access-list 150 deny tcp 10.20.200.64 0.0.0.15 10.20.202.0 0.0.1.255 eq www
access-list 150 permit ip any any

 

int fa0/0.80
ip access-group 150 out

 

 

Go to solution
NandaK
Level 1
Level 1
In response to vb10

‎02-02-2019 03:03 AM

Thank you so much it was very helpful.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎01-30-2019 07:26 AM

Excellent spot !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card