12-03-2008 07:53 AM - edited 03-04-2019 12:35 AM
hi, i have different vlans on my network and inter vlan routing is working fine, In vlan 103 there are different servers, i only want certain ips to telnet these server within 103 vlan. how can i do that.
Thanks
Solved! Go to Solution.
12-04-2008 03:17 AM
Waseem
hosts allowed to telnet to servers = 192.168.5.10, 11
servers that allow telnet = 192.168.5.3, 4
access-list 101 permit host 192.168.5.10 host 192.168.5.3 eq telnet
access-list 101 permit host 192.168.5.10 host 192.168.5.4 eq telnet
access-list 101 permit host 192.168.5.11 host 192.168.5.3 eq telnet
access-list 101 permit host 192.168.5.11 host 192.168.5.4 eq telnet
access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
access-list 103 permit ip any any
vlan access-map filter_1 10
match ip address 101
action forward
vlan access-map filter_1 20
match ip address 102
action drop
vlan_access-map filter_3 30
match ip address 103
action forward
Jon
12-03-2008 08:03 AM
Waseem
Use an outbound acl on the vlan 103 interface eg.
ips allowed to telnet to servers = 192.168.5.10, 11
ips of servers - 172.16.5.3, 4
access-list 101 permit tcp host 192.168.5.10 host 172.16.5.3 eq telnet
access-list 101 permit tcp host 192.168.5.10 host 172.16.5.4 eq telnet
access-list 101 permit tcp host 192.168.5.11 host 172.16.5.3 eq telnet
access-list 101 permit tcp host 192.168.5.11 host 172.16.5.4 eq telnet
access-list 101 deny tcp any host 172.16.5.3 eq telnet
access-list 101 deny tcp any host 17.16.5.4 eq telnet
access-list 101 permit ip any any
Note the last line - without it all other non-telnet traffic going to servers on vlan 103 would be dropped.
int vlan 103
ip access-group 101 out
Jon
12-03-2008 09:45 PM
hi Jon,
my problem is that i want to restrict user within the same VLAN too. Only certain IP should allow to telnet the servers. That IPs are in the same vlan i.e vlan 103 and the server is also on vlan 103.
thanks
12-03-2008 10:00 PM
What device are you using as your switch ?
Jon
12-03-2008 10:10 PM
Wassem,
Assuming you're using an MLS
For restricting access within the same vlan, you'll need to configure a vlan access-map to restrict access within the same VLAN
For eg, Lets say on vlan 103, you dont want the host 192.168.10.2 to telnet to the server 192.168.10.1
#configure ACLs
access-list 101 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet
access-list 1 permit any
#configure VLAN access-map
#
vlan access-map
match ip address 101
action drop
vlan access-map
match ip address 1
action forward
#Apply the vlan filter to vlan 103
vlan filter
HTH
Lejoe
12-03-2008 11:25 PM
hi Lejoe
my senerio is bit different i only want two ips to telnet the server and rest of the ips to access the server as they do normally. The ips which telnet the server will also access the server for other services.
12-04-2008 01:04 AM
Hi Waseem,
In that case, all you have to do is write the appropriate access-list
pesudo code would be
1) Access-list for IPs that require telnet traffic (use extended access-list to specify
traffic type, i.e telnet access), eg: 101
2) Access-list matching all other IPs requiring normal access, eg: 102
#VACL pesudo code
vlan-accessmap XXXXX permit 10
match 101
action forward
vlan-accessmap XXXXX permit 20
match 102
action forward
Because of the implicit deny at the end of VACL, your requirement is achieved.
HTH
Lejoe
12-04-2008 03:01 AM
hi,
the access-list matching all other traffic i.e "102" will also do telnet, but it should not allowed to telnet. Access list 102 not allowed to telnet but do every thing execpt telnet how can i accomplish this.
Thanks
12-04-2008 03:17 AM
Waseem
hosts allowed to telnet to servers = 192.168.5.10, 11
servers that allow telnet = 192.168.5.3, 4
access-list 101 permit host 192.168.5.10 host 192.168.5.3 eq telnet
access-list 101 permit host 192.168.5.10 host 192.168.5.4 eq telnet
access-list 101 permit host 192.168.5.11 host 192.168.5.3 eq telnet
access-list 101 permit host 192.168.5.11 host 192.168.5.4 eq telnet
access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
access-list 103 permit ip any any
vlan access-map filter_1 10
match ip address 101
action forward
vlan access-map filter_1 20
match ip address 102
action drop
vlan_access-map filter_3 30
match ip address 103
action forward
Jon
12-04-2008 03:51 AM
Waseem
Appreciate the rating but i made a typo so could you change
access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
to
access-list 102 permit tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
Apologies for that.
Jon
12-03-2008 10:13 PM
Hi,
If this is a 6500/7600, then you could use VACL feature to filter traffic within a VLAN. More information in the below URL:
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide