02-06-2008 08:05 AM - edited 03-05-2019 08:58 PM
Hi.
I would like to only allow some traffic between a couple of servers on a VLAN and on a remote site .and block the other traffic
from example If I do :
access-list 180 permit host 10.1.1.1 host 10.2.2.2
and
Int VLAN 599
ip access-g 180 in
Imagine that 10.1.1.1 is a member of my VLAN servers
Imagine that VLAN 599 is where my router is connected to connect to 10.2.2.2
as far as I understand , this acl will only allow 10.1.1.1 to connect to 10.2.2.2
Will that block 10.2.2.2 to connect to 10.1.1.1
or do I need another ACL like :
access-list 181 permit host 10.2.2.2 host 10.1.1.1
int vlan 599
ip access-g 181 out ??????
thanks
02-06-2008 10:07 AM
No, you don't need another ACL.
VLANs allow traffic through by default. Your "ip access-g 180 in" should work just fine.
02-07-2008 01:03 AM
ok
How about if I have another host 10.2.2.3 on the remote site ?
will the traffic be blocked from 10.1.1.1 to 10.2.2.3 as well ?
02-07-2008 01:31 AM
Hi
Not sure i fully understand your topology.
Is vlan 599 the vlan where 10.2.2.2 lives or 10.1.1.1.
If it is 10.2.2.2 then your access-list applied on the vlan 599 interface inbound will have no effect ie.
your access-list says permit ip (presumably) from 10.1.1.1 to 10.2.2.2.
If vlan 599 is the vlan for 10.1.1.1 then it will work fine. But if vlan 599 is the vlan for 10.2.2.2 then it will actually block the return traffic and it will do this because of the implicit deny at the end of access-list 180 because the return traffic is
source 10.2.2.2 destination 10.1.1.1 which doesn't match the "access-list 180 permit ip host 10.1.1.1 host 10.2.2.2. However there is an implict deny at the end of access-lust 180 so it will be dropped.
So if vlan 599 is the vlan for 10.2.2.2 you need to apply acl 180 inbound on the vlan interface that connects to 10.1.1.1.
Does this make sense ?
Jon
02-07-2008 01:41 AM
ok I clarify
10.1.1.1 is in vlan 599
source is 10.1.1.1
destinations are 10.2.2.2 and 10.2.2.3
my acl is
access-list 180 permit host 10.1.1.1 host 10.2.2.2
Int VLAN 599
ip access-g 180 in
So ,
1) do I need :
access-list 180 permit host 10.2.2.2 host 10.1.1.1 to allow the return traffic ?
2) Do I need to do something on my acl to deny traffic from 10.2.2.2 to 10.1.1.1 ?
02-07-2008 01:48 AM
1) No you don't because ACL 180 is only applied inbound on interface vlan 599. So when the return traffic comes back from 10.2.2.2 it will be be outbound traffic on vlan 599 and as you don't have an acl in the outbound direction you will be fine.
2) Do you mean 10.2.2.3 and not 10.2.2.2 because i thought you wanted to allow traffic to and from 10.2.2.2 ?
Assuming 10.2.2.3
if all your access-list 180 says is
access-list 180 permit ip host 10.1.1.1 host 10.2.2.2
then you have an implicit deny at the end of the acl so in effect all traffic from vlan 599 will be blocked except traffic from 10.1.1.1 to 10.2.2.2.
If this is not what you want
access-list 180 deny host 10.1.1.1 host 10.2.2.3
access-list 180 permit ip any any
ie. only stop traffic from vlan 599 to 10.2.2.3.
If you want to actually stop 10.2.2.3 from intiating a connection to 10.1.1.1 then
access-list 181 deny ip host 10.2.2.3 host 10.1.1.1
access-list 181 permit ip any any
then apply to interface that 10.2.2.3 lives on eg.
vlan 600
ip access-group 181 in
HTH
Jon
02-08-2008 02:50 AM
Hi
Ok thanks
last one :
is it possible to put to different access-group on an interface
inter fa 0/0
ip access-group 180 out
ip access-group 190 in
?
02-08-2008 02:54 AM
Yes, you can have one inbound and one outbound access-list on an interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide