ACCESS LIST BETWEEN VLANS

Unanswered Question
Dec 13th, 2008
User Badges:

dear all


I have cisco 6500 sw...having multiple VLAN


mY Server VLAN are in HSRP i.e vlan ID 128. and my users VLAN are in GLBP ie vlan ID 192


mY SERER IP ADDRESS VLAN RANGE 128.20.0.0/16

AND USER VLAN 192.168.X.X/24


I want to aCHIVE FOLLOWING


I HAVE ONE SERVER 128.20.0.166 currently all users access able to access directly now i want to block direct access to it .

from my user VLAN


CAN SOME ONE GIUDE ME WHICH TYPE OF ACCESS LIST I HEV TO CREATE WITH COMMAND AND WHERE I HEV TO APLLY TO ACHIVE

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 12/14/2008 - 00:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jitendra,

there are more ways to achieve what you want.

Your scenario should be:


Servers vlan VL128 ---- SVI_Vlan128 === SVI_Vlan192 --- Clients Vlan Vlan 192


The correct tool is an extended IP ACL that allows to specify a source and destination and L4 information like TCP or UDP and ports.


Let's suppose the server 128.20.0.166 is open on TCP port T

You can apply the ACL inbound on SVI Vlan128:

conf t

access-list 121 deny tcp host 128.20.0.166 eq T 192.168.X.0 0.0.0.255

access-list 121 permit ip any any


where T is only there to represent the service port number.

Notice that the TCP port follows the server: the port used on the clients is dynamically negotiated so it cannot be matched.

! applying the ACL inbound


int vlan 128

ip access-group 121 in


Other choices are possible.


Hope to help

Giuseppe


jitendra.pipalia Tue, 12/16/2008 - 23:10
User Badges:

I have created access list below


ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166

20 permit ip any any


applied to vlan 128 out

i have tried as below


ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.224 host 128.20.0.166

20 permit ip any any

it has blocked for entire 192.168.1.0 range


now tell em wht is my mistake

viyuan700 Wed, 12/17/2008 - 00:30
User Badges:
  • Silver, 250 points or more

"10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166"


If 192.168.1.31 is ur ip then 0.0.0.255 is not correct it shd be 0.0.0.0. Here u r blocking just for 192.168.1.31


If 192.168.1.0 then it can be 0.0.0.255. here u r blocking for all the host on 192.168.1.0 netwok.



jitendra.pipalia Wed, 12/17/2008 - 00:49
User Badges:

I WANT TO BLOCK FROM RANGE 192.168.1.31 TO 192.168.1.255


BETWEEN 192.168.1.1 TO 192.168.1.30 SHLD ALLOW

viyuan700 Wed, 12/17/2008 - 00:59
User Badges:
  • Silver, 250 points or more

then u can use 192.168.1.0 0.0.0.31

this will allow 192.168.1.1-31 block rest

Actions

This Discussion