cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


103
Views
5
Helpful
1
Replies
Highlighted
Beginner

VACL to limit server access

Dear All,

 

I am working on a scenario to limit the access to servers as mentioned in below configuration. i am running a big subnet of 192.168.8.1/21, now as soon as i apply this VACL whole vlan traffic gets stopped. How should i resolve this issue that rest of the vlan users doesn't get affected ? Need help in this regard.

 

Talha

 

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135

access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216

 

 

3750(conf)#vlan access-map SERVER_ACCESS 10
3750(config-access-map)#match ip address 101
3750(config-access-map)#action forward
3750(conf)#vlan access-map SERVER_ACCESS 20
3750(config-access-map)#action drop
3750(conf)#vlan filter SERVER_ACCESS vlan-list 1

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: VACL to limit server access

Hello

It looks like you denying everything after in your vacl stanza 20 statement

Try the revised vacl below:

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.14
access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.14

access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14
access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14

vlan access-map SERVER_ACCESS 10
match ip address 101  <----------------------this will permit the host to server communication within vlan
action forward

vlan access-map SERVER_ACCESS 20
match ip address 102 <----------------------this will deny the host communication to any other hosts within vlan
action drop

vlan access-map SERVER_ACCESS 99  <-------this will permit all other communication within vlan

vlan filter SERVER_ACCESS vlan-list 1



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
1 REPLY
VIP Advisor

Re: VACL to limit server access

Hello

It looks like you denying everything after in your vacl stanza 20 statement

Try the revised vacl below:

access-list 101 permit ip host 192.168.8.178 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.10.135
access-list 101 permit ip host 192.168.10.135 host 192.168.11.14
access-list 101 permit ip host 192.168.8.178 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.8.178
access-list 101 permit ip host 192.168.10.49 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.10.49
access-list 101 permit ip host 192.168.11.13 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.13
access-list 101 permit ip host 192.168.11.14 host 192.168.8.216
access-list 101 permit ip host 192.168.8.216 host 192.168.11.14

access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14
access-list 102 permit ip host 192.168.8.178 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.8.178
access-list 102 permit ip host 192.168.10.49 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.10.49
access-list 102 permit ip host 192.168.11.13 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.13
access-list 102 permit ip host 192.168.11.14 192.168.8.0 0.0.7.255
access-list 102 permit ip 192.168.8.0 0.0.7.255 host 192.168.11.14

vlan access-map SERVER_ACCESS 10
match ip address 101  <----------------------this will permit the host to server communication within vlan
action forward

vlan access-map SERVER_ACCESS 20
match ip address 102 <----------------------this will deny the host communication to any other hosts within vlan
action drop

vlan access-map SERVER_ACCESS 99  <-------this will permit all other communication within vlan

vlan filter SERVER_ACCESS vlan-list 1



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
CreatePlease to create content
Content for Community-Ad
Blog-Cisco Community Designated VIP Class of 2019