Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
8
Replies

Restrict Access

estadlercisco
Level 1
Level 1

‎10-23-2007 06:50 AM - edited ‎03-05-2019 07:15 PM

I'm trying to restict access between these two VLAN's the design is simple, just restrict anything (IP) in the 10.1.20.X range from getting to the 10.1.10.X range. I've been toying with reflexive's but cannot seem to get it to work.

interface Vlan10

description **Staff**

ip address 10.1.10.1 255.255.255.0

ip helper-address 10.1.3.2

!

interface Vlan20

description **Students1**

ip address 10.1.20.1 255.255.254.0

ip access-group student2staff in

ip helper-address 10.1.3.2

ip access-list extended staff2student

permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255 reflect staffreturn

permit ip any any

ip access-list extended student2staff

permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255

evaluate staffreturn

permit icmp 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255 echo-reply

deny ip 10.1.20.0 0.0.1.255 10.254.0.0 0.0.255.255

deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255

deny ip 10.1.20.0 0.0.1.255 10.250.0.0 0.0.255.255

permit ip any any

Labels:
0 Helpful
8 Replies 8

shivlu jain
Level 5
Level 5

‎10-24-2007 09:21 AM

interface Vlan20

description **Students1**

ip address 10.1.20.1 255.255.254.0

Please check the subnet mask.

regards

shivlu

0 Helpful

estadlercisco
Level 1
Level 1
In response to shivlu jain

‎10-24-2007 10:42 AM

What do you see wrong with the subnet mask? The students subnet needs to be 10.1.20.0 - 10.1.21.254

0 Helpful

acomiskey
Level 10
Level 10
In response to estadlercisco

‎10-24-2007 10:57 AM

So you want to block traffic from students to staff. Do you want there to be any communication from the staff to students?

0 Helpful

estadlercisco
Level 1
Level 1
In response to acomiskey

‎10-24-2007 10:58 AM

nothing should be blocked from staff to students

0 Helpful

bvsnarayana03
Level 5
Level 5

‎10-24-2007 11:02 AM

Since the ACL is one-way, so many statements are not req. Simply:

ip access-list extended student2staff

deny ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255

permit ip any any

0 Helpful

acomiskey
Level 10
Level 10
In response to bvsnarayana03

‎10-24-2007 11:09 AM

That would work but I assume this is a switch which is not stateful. Therefore if staff tried to contact students, the return traffic from the students would be blocked by the deny line in the acl. And it would actually be...

ip access-list extended student2staff

deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255

permit ip any any

0 Helpful

bvsnarayana03
Level 5
Level 5
In response to acomiskey

‎10-24-2007 11:14 AM

Since the ACL is inbound on student vlan, it wud chk only traffic originated by tht vlan. SInce there is no acl outbound on this vlan, all traffic towards students shud flow without hampering.

0 Helpful

acomiskey
Level 10
Level 10
In response to bvsnarayana03

‎10-24-2007 11:20 AM

The definition of inbound in this case is really inbound to a student vlan port. Therefore any traffic originating from a student machine would be checked against this acl, including replies from traffic originated by staff.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card