07-22-2017 08:24 AM - edited 03-08-2019 11:25 AM
Hi,
i need to allow only one ip to access web server with in vlan.
allow 10.10.0.10 to 10.10.0.80
other all ips in vlan should be block ( subnet 10.10.0.0 /23)
07-22-2017 11:46 AM
Hello
If this is within a specific vlan than vacl would able to do this.
access-list 100 permit ip host 10.10.0.10 host 10.10.0.80
access-list 100 permit ip host 10.10.0.80 host 10.10.0.10
access-list 101 deny ip any host 10.10.0.80
access-list 101 deny ip host 10.10.0.80 any
vlan acess-map host2web 10 <----allows host to web server
match ip address 100
action forward
vlan acess-map host2web 20 <----denys any other host to web server
match ip address 101
action drop
vlan access-map host2web 99 <----Allows all other communication within the vlan
vlan filter host2web vlan-list xx <--- apply to the vlan in question.
res
Paul
07-22-2017 12:04 PM
Hello,
a VLAN access map should work. Have a look at the example below. Vlan (4) is arbitrary, replace this with your own:
access-list WEB_SERVER permit ip host 10.10.0.10 host 10.10.0.80
!
vlan access-map SERVER_ACCESS
match ip address WEB_SERVER
action forward
!
vlan filter SERVER_ACCESS vlan-list 4
Actually, thinking about it you need to allow traffic from the web server back to your host as well:
access-list WEB_SERVER permit ip host 192.168.1.2 host 192.168.1.10
access-list WEB_SERVER permit ip host 192.168.1.10 host 192.168.1.2
!
vlan access-map SERVER_ACCESS
match ip address WEB_SERVER
action forward
!
vlan filter SERVER_ACCESS vlan-list 4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide