Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
11
Replies

Blocking access to a specific host

ronald.ramzy
Level 1
Level 1

‎02-04-2009 06:46 AM - edited ‎03-06-2019 03:51 AM

Hi,

I have point-2-point link between our branch office to head-quarter...

We want to block access to a specific hosts at Head-Quarter from Branch-office.

But we have multiple VLANS at Branch-office

How could we block access to this host ??? The Host is a Server [Two Servers ]

Labels:
0 Helpful
11 Replies 11

pstebner10
Level 1
Level 1

‎02-04-2009 07:17 AM

You can put an acl in place on your edge interface denying traffic to those hosts. For example, if you have a PIX/ASA, you could do:

access-list outside_in extended deny ip any host

access-list outside_in extended deny ip any host

access-group outside_in in interface outside

HTH,

Paul

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to pstebner10

‎02-04-2009 09:31 AM

its a 3550 switch

to start with I need 3 VLANS to block these hosts.

what command is required on the VLAN to block these hosts.

0 Helpful

pstebner10
Level 1
Level 1
In response to ronald.ramzy

‎02-04-2009 09:44 AM

Ronald-

Are you using the 3550 in Layer3 mode? What is the topology on each end?

Paul

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to pstebner10

‎02-04-2009 09:54 AM

3550 is on Layer3 Mode.

Any advice.

0 Helpful

pstebner10
Level 1
Level 1
In response to ronald.ramzy

‎02-04-2009 11:05 AM

Ronald-

You can apply an access-list to the uplink port of the 3550. I assume that you have the uplink at L3 and the rest as switchports since you mentioned 3 VLANs. Can you post your config?

Paul

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-04-2009 11:12 AM

Hi,

U can do that by configuring the following on the Switchport:

"Switchport mode protected", this will eleminate access to the host reside on the port.

HTH

Mohamed

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Mohamed Sobair

‎02-04-2009 01:17 PM

Users are located on Different location in the Building so I feel restricting on trunks are not easy....

Mohammed please ellaborate more on Swithcport mode protected... how to configure this for my scenario.....

Kindly advice on the config

The Vlan I wanna restrict is

VLAN 100

int vlan 100

description BLOCK C VLAN

ip address 172.16.1.0 255.255.255.0

ip access-group Restrict-ATARI

ip access-list extended Restrict-ATARI

deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222

permit ip any any

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-04-2009 01:33 PM

So, you want to deny access at layer-3 using access-list.right?

Could u please tell in which vlan the Host reside? what 192.168.x.x represent? Do u want to deny access from 172.x subnet toward the host? pls clarify more..

Thanks,

Mohamed

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Mohamed Sobair

‎02-04-2009 02:38 PM

User VLan is VLAN 100

Server1 : 192.168.1.222

Server2 : 192.168.1.111

I want to restrict user-vlan 100 from accessing the Server1 && Server2 only and permit others.

{ description in VLAN 100 " BLOCK C VLAN " means Building-C )

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to ronald.ramzy

‎02-04-2009 07:18 PM

Access list should be applied nearest the server(s):

access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.111

access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222

permit ip any any

int vlan 100

access group 101 in

0 Helpful

ronald.ramzy
Level 1
Level 1
In response to Leo Laohoo

‎02-04-2009 09:57 PM

Thanks for your reply.

I would like to understand what is the technical difference or benefits on applying the ACL near the Server or applying the ACL on User-VLAN.

Appreciate your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card