vlan access-list

Unanswered Question

I Have this Requirments:

deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0

permit web traffic from 192.168.0.0/8 to subnet 10.10.100.0

permit any other ip traffic from my pod to 10.10.100.0

dont use deny use just PERMIT

PLZ ADJUST THIS ENTRY IF I DID MISTAKE

ip access-list extended ACL-ACL

permit tcp 192.168.128.0 0.0.127.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.64.0 0.0.63.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.32.0 0.0.31.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.16.0 0.0.15.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.12.0 0.0.3.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.11.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.8.0 0.0.1.255 10.10.100.0 0.0.0.255 eq 80

permit tcp 192.168.0.0 0.0.7.255 10.10.100.0 0.0.0.255 eq 80

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255

int vlan 100

ip access-group ACL-ACL in

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Thu, 11/22/2007 - 12:46

The last entry on the ACL

permit ip 192.168.0.0 0.0.255.255 10.10.100.0 0.0.0.255

will break this requirement:

deny web traffic from 192.168.10.0/24 to subnet 10.10.100.0

I believe the task is steering you to implement Vlan ACLs instead of IPv4 ACLs.

With Vlan ACLs, you can configure ACL entries with permit but with a drop action under the Vlan Map.

For more information, please see:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12240se/scg/swacl.htm#wp1600210

Edison Ortiz Thu, 11/22/2007 - 13:02

As I stated, the last entry will break the requirement.

permit ip will allow web traffic and any other type of ip traffic. The requirements say to deny it.

Actions

This Discussion