Blocking access to a specific host

Unanswered Question
Feb 4th, 2009
User Badges:

Hi,


I have point-2-point link between our branch office to head-quarter...


We want to block access to a specific hosts at Head-Quarter from Branch-office.


But we have multiple VLANS at Branch-office


How could we block access to this host ??? The Host is a Server [Two Servers ]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pstebner10 Wed, 02/04/2009 - 07:17
User Badges:

You can put an acl in place on your edge interface denying traffic to those hosts. For example, if you have a PIX/ASA, you could do:

access-list outside_in extended deny ip any host

access-list outside_in extended deny ip any host

access-group outside_in in interface outside


HTH,

Paul

ronald.ramzy Wed, 02/04/2009 - 09:31
User Badges:

its a 3550 switch


to start with I need 3 VLANS to block these hosts.


what command is required on the VLAN to block these hosts.



pstebner10 Wed, 02/04/2009 - 09:44
User Badges:

Ronald-

Are you using the 3550 in Layer3 mode? What is the topology on each end?



Paul

pstebner10 Wed, 02/04/2009 - 11:05
User Badges:

Ronald-

You can apply an access-list to the uplink port of the 3550. I assume that you have the uplink at L3 and the rest as switchports since you mentioned 3 VLANs. Can you post your config?


Paul

Mohamed Sobair Wed, 02/04/2009 - 11:12
User Badges:
  • Gold, 750 points or more

Hi,


U can do that by configuring the following on the Switchport:


"Switchport mode protected", this will eleminate access to the host reside on the port.


HTH

Mohamed

ronald.ramzy Wed, 02/04/2009 - 13:17
User Badges:

Users are located on Different location in the Building so I feel restricting on trunks are not easy....


Mohammed please ellaborate more on Swithcport mode protected... how to configure this for my scenario.....



Kindly advice on the config


The Vlan I wanna restrict is

VLAN 100


int vlan 100

description BLOCK C VLAN

ip address 172.16.1.0 255.255.255.0

ip access-group Restrict-ATARI


ip access-list extended Restrict-ATARI

deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222


permit ip any any



Mohamed Sobair Wed, 02/04/2009 - 13:33
User Badges:
  • Gold, 750 points or more

So, you want to deny access at layer-3 using access-list.right?


Could u please tell in which vlan the Host reside? what 192.168.x.x represent? Do u want to deny access from 172.x subnet toward the host? pls clarify more..


Thanks,

Mohamed

ronald.ramzy Wed, 02/04/2009 - 14:38
User Badges:

User VLan is VLAN 100

Server1 : 192.168.1.222

Server2 : 192.168.1.111


I want to restrict user-vlan 100 from accessing the Server1 && Server2 only and permit others.


{ description in VLAN 100 " BLOCK C VLAN " means Building-C )




Leo Laohoo Wed, 02/04/2009 - 19:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Access list should be applied nearest the server(s):


access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.111

access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222

permit ip any any

int vlan 100

access group 101 in


ronald.ramzy Wed, 02/04/2009 - 21:57
User Badges:

Thanks for your reply.


I would like to understand what is the technical difference or benefits on applying the ACL near the Server or applying the ACL on User-VLAN.


Appreciate your help.



Actions

This Discussion