Need allow only one ip to access web server within vlan

shahbaz1981 · ‎07-22-2017

Hi,

i need to allow only one ip to access web server with in vlan.

allow 10.10.0.10 to 10.10.0.80

other all ips in vlan should be block ( subnet 10.10.0.0 /23)

paul driver · ‎07-22-2017

Hello

If this is within a specific vlan than vacl would able to do this.

access-list 100 permit ip host 10.10.0.10 host 10.10.0.80
access-list 100 permit ip host 10.10.0.80 host 10.10.0.10

access-list 101 deny ip any host 10.10.0.80
access-list 101 deny ip host 10.10.0.80 any

vlan acess-map host2web 10 <----allows host to web server
match ip address 100
action forward

vlan acess-map host2web 20 <----denys any other host to web server
match ip address 101
action drop

vlan access-map host2web 99 <----Allows all other communication within the vlan

vlan filter host2web vlan-list xx <--- apply to the vlan in question.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎07-22-2017

Hello,

a VLAN access map should work. Have a look at the example below. Vlan (4) is arbitrary, replace this with your own:

access-list WEB_SERVER permit ip host 10.10.0.10 host 10.10.0.80
!
vlan access-map SERVER_ACCESS
match ip address WEB_SERVER
action forward
!
vlan filter SERVER_ACCESS vlan-list 4

Actually, thinking about it you need to allow traffic from the web server back to your host as well:

access-list WEB_SERVER permit ip host 192.168.1.2 host 192.168.1.10
access-list WEB_SERVER permit ip host 192.168.1.10 host 192.168.1.2
!
vlan access-map SERVER_ACCESS
match ip address WEB_SERVER
action forward
!
vlan filter SERVER_ACCESS vlan-list 4