cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
125
Views
5
Helpful
1
Replies
Highlighted
Beginner

VACL to limit server access

Dear All,

 

I am working on a scenario to limit the access to servers as mentioned in below configuration. i am running a big subnet of 192.168.8.1/21, now as soon as i apply this VACL whole vlan traffic gets stopped. How should i resolve this issue that rest of the vlan users doesn't get affected ? Need help in this regard.

 

Talha

 

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135

access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216

 

 

3750(conf)#vlan access-map SERVER_ACCESS 10
3750(config-access-map)#match ip address 101
3750(config-access-map)#action forward
3750(conf)#vlan access-map SERVER_ACCESS 20
3750(config-access-map)#action drop
3750(conf)#vlan filter SERVER_ACCESS vlan-list 1

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: VACL to limit server access

Hello

It looks like you denying everything after in your vacl stanza 20 statement

Try the revised vacl below:

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.14
access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.14

access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14
access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14

vlan access-map SERVER_ACCESS 10
match ip address 101  <----------------------this will permit the host to server communication within vlan
action forward

vlan access-map SERVER_ACCESS 20
match ip address 102 <----------------------this will deny the host communication to any other hosts within vlan
action drop

vlan access-map SERVER_ACCESS 99  <-------this will permit all other communication within vlan

vlan filter SERVER_ACCESS vlan-list 1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
1 REPLY 1
VIP Advisor

Re: VACL to limit server access

Hello

It looks like you denying everything after in your vacl stanza 20 statement

Try the revised vacl below:

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.14
access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.14

access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14
access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14

vlan access-map SERVER_ACCESS 10
match ip address 101  <----------------------this will permit the host to server communication within vlan
action forward

vlan access-map SERVER_ACCESS 20
match ip address 102 <----------------------this will deny the host communication to any other hosts within vlan
action drop

vlan access-map SERVER_ACCESS 99  <-------this will permit all other communication within vlan

vlan filter SERVER_ACCESS vlan-list 1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad