05-01-2019 01:37 AM - edited 05-03-2019 01:50 AM
05-01-2019 01:58 AM - edited 05-01-2019 01:59 AM
Hello
A simple RACL applied to switch 0 should but sufficient.
access-list 100 deny ip any host 172.16.15.10
access-list 100 permit ip any any
int vlan 60
ip accces-group 100 in
int vlan 80
ip accces-group 100 in
05-01-2019 01:54 AM
I don't have PT so can't open your file, but what you need is an ACL placed on the CRM SVI in the outbound direction.
Something like:
! ip access-list ext CRM_ACL deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 ! deny VLAN60 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255 ! deny VLAN80 permit ip any any ! int vlan 300 desc CRM ip access-group CRM_ACL out !
where 192.168.1.0/24 is VLAN60
192.168.2.0/24 is VLAN80
192.168.20.0/24 is the CRM VLAN
cheers,
Seb.
05-01-2019 02:06 AM - edited 05-01-2019 02:07 AM
Hello @Seb Rupik
As you cannot see the topology just thought you let you know mate it looks like the l3 SVIs are separated via a router so denying the traffic at the source of the CRM would indeed deny the traffic however that traffic would need to traverse the network prior to it being denied.
05-01-2019 01:58 AM - edited 05-01-2019 01:59 AM
Hello
A simple RACL applied to switch 0 should but sufficient.
access-list 100 deny ip any host 172.16.15.10
access-list 100 permit ip any any
int vlan 60
ip accces-group 100 in
int vlan 80
ip accces-group 100 in
05-01-2019 02:12 AM
Hi Paul,
Thank you very much for your response. When you say switch 0 - do you mean the multilayer switch 0?
Thanks
05-01-2019 02:14 AM - edited 05-01-2019 02:16 AM
Hello
Yes apologies i should have been clearer in my post! - Basically you are denying initiated traffic from these vlans towards that CRM device before it can traverse the network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide