vlan access-list

Unanswered Question

I Have this Requirments:


deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0

permit web traffic from 192.168.0.0/8 to subnet 10.10.100.0

permit any other ip traffic from my pod to 10.10.100.0

dont use deny use just PERMIT


PLZ ADJUST THIS ENTRY IF I DID MISTAKE






ip access-list extended ACL-ACL

permit tcp 192.168.128.0 0.0.127.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.64.0 0.0.63.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.32.0 0.0.31.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.16.0 0.0.15.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.12.0 0.0.3.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.11.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.8.0 0.0.1.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.0.0 0.0.7.255 10.10.100.0 0.0.0.255 eq 80

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255


int vlan 100

ip access-group ACL-ACL in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Thu, 11/22/2007 - 12:46
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The last entry on the ACL

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255

will break this requirement:

deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0


I believe the task is steering you to implement Vlan ACLs instead of IPv4 ACLs.


With Vlan ACLs, you can configure ACL entries with permit but with a drop action under the Vlan Map.


For more information, please see:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1600210



Edison Ortiz Thu, 11/22/2007 - 13:02
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

As I stated, the last entry will break the requirement.


permit ip will allow web traffic and any other type of ip traffic. The requirements say to deny it.

hello

I Have some doubt about these statments:

permit tcp 192.168.12.0 0.0.3.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.11.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.8.0 0.0.1.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.0.0 0.0.7.255 10.10.100.0 0.0.0.255 eq 80

any clarification?

10xs

Actions

This Discussion