Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

Server to Server access list in the same vlan

Go to solution
kupsroach182
Level 1
Level 1

‎03-24-2017 01:17 AM - edited ‎03-08-2019 09:53 AM

Hi,

Can you help me to implement a server to server access list in the same VLAN. Can you give me a sample configuration? Please find attached file for sample network design

Sample server-server access list in the same VLAN

Server #1 IP Address 192.168.1.1

Server #2 IP Address 192.168.1.2

Server #3 IP Address 192.168.1.3

Server #4 IP Address 192.168.1.4

This access-list sample how to config in the same VLAN.

scenario:

1.) Server #1 can access Server #2 then denied Server #3 & Server #4

2.) Server #2 can access Server #3 then denied Server #1 & Server #4

3.) Server #3 can access Server #1 and Server #2 then denied Server #4

3.) Server #4 denied access to Server #1 and Server #2 and Server #3

Thanks in advance. 

Labels:
Preview file
41 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎03-24-2017 01:47 AM

Hi

you should use a mac acl in same vlan , resolve the ips to there macs and block and permit them that way

https://bizzard2000.wordpress.com/2012/04/05/mac-access-list-extended/

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html#concept_A0793814F55647FBAE4B3A3E67E10DBB

mac access-list extended example

permit host 0042.68fc.fc20 host 0042.68fc.fc21

permit host 0042.68fc.fc21 host 0042.68fc.fc20

View solution in original post

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to kupsroach182

‎03-24-2017 02:34 AM

Hi

no it would be like the doc example below , you can apply it to layer 2 port or layer 3 if your device supports it , there is also VACLs as another option

You don't get the same eq options in macls as ip acls

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#pgfId-1148259

switch#configure terminal
switch(config)#mac access-list extended cisco
switch(config-ext-macl)#permit host 0011.abcd.abcd host 0011.1111.1111
switch(config-ext-macl)#exit
switch(config)#access-list 101 deny ip 10.10.1.0 0.0.0.255 host 10.10.2.2
switch(config)#access-list 101 permit ip any any
switch(config)#interface f0/23
switch(config-if)#switchport mode trunk
switch(config-if)#ip access-group 101 in
switch(config-if)#mac access-group cisco in
switch(config-if)#end
switch#show access-lists
switch#show access-group interface f0/23

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎03-24-2017 01:47 AM

Hi

you should use a mac acl in same vlan , resolve the ips to there macs and block and permit them that way

https://bizzard2000.wordpress.com/2012/04/05/mac-access-list-extended/

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html#concept_A0793814F55647FBAE4B3A3E67E10DBB

mac access-list extended example

permit host 0042.68fc.fc20 host 0042.68fc.fc21

permit host 0042.68fc.fc21 host 0042.68fc.fc20

0 Helpful

Go to solution
kupsroach182
Level 1
Level 1
In response to Mark Malone

‎03-24-2017 02:13 AM

Hi Mark,

Thank you, i will try it to my test environment. I got also follow up question is mac access-list can define port control also like eq www, eq 21 or eq icmp? and the last thing where do I put the mac extended access-list? 

a. ) mac access-list extended example

permit host 0042.68fc.fc20 host 0042.68fc.fc21 eq icmp

permit host 0042.68fc.fc21 host 0042.68fc.fc20 eq 8080

b. ) 

interface Vlan2
description *** Server Farm ***
ip address 192.168.1.200 255.255.255.0
ip access-group "mac access-list extended example" in

is this correct?

Thanks

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to kupsroach182

‎03-24-2017 02:34 AM

Hi

no it would be like the doc example below , you can apply it to layer 2 port or layer 3 if your device supports it , there is also VACLs as another option

You don't get the same eq options in macls as ip acls

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#pgfId-1148259

switch#configure terminal
switch(config)#mac access-list extended cisco
switch(config-ext-macl)#permit host 0011.abcd.abcd host 0011.1111.1111
switch(config-ext-macl)#exit
switch(config)#access-list 101 deny ip 10.10.1.0 0.0.0.255 host 10.10.2.2
switch(config)#access-list 101 permit ip any any
switch(config)#interface f0/23
switch(config-if)#switchport mode trunk
switch(config-if)#ip access-group 101 in
switch(config-if)#mac access-group cisco in
switch(config-if)#end
switch#show access-lists
switch#show access-group interface f0/23

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card