02-04-2009 06:46 AM - edited 03-06-2019 03:51 AM
Hi,
I have point-2-point link between our branch office to head-quarter...
We want to block access to a specific hosts at Head-Quarter from Branch-office.
But we have multiple VLANS at Branch-office
How could we block access to this host ??? The Host is a Server [Two Servers ]
02-04-2009 07:17 AM
You can put an acl in place on your edge interface denying traffic to those hosts. For example, if you have a PIX/ASA, you could do:
access-list outside_in extended deny ip any host
access-list outside_in extended deny ip any host
access-group outside_in in interface outside
HTH,
Paul
02-04-2009 09:31 AM
its a 3550 switch
to start with I need 3 VLANS to block these hosts.
what command is required on the VLAN to block these hosts.
02-04-2009 09:44 AM
Ronald-
Are you using the 3550 in Layer3 mode? What is the topology on each end?
Paul
02-04-2009 09:54 AM
3550 is on Layer3 Mode.
Any advice.
02-04-2009 11:05 AM
Ronald-
You can apply an access-list to the uplink port of the 3550. I assume that you have the uplink at L3 and the rest as switchports since you mentioned 3 VLANs. Can you post your config?
Paul
02-04-2009 11:12 AM
Hi,
U can do that by configuring the following on the Switchport:
"Switchport mode protected", this will eleminate access to the host reside on the port.
HTH
Mohamed
02-04-2009 01:17 PM
Users are located on Different location in the Building so I feel restricting on trunks are not easy....
Mohammed please ellaborate more on Swithcport mode protected... how to configure this for my scenario.....
Kindly advice on the config
The Vlan I wanna restrict is
VLAN 100
int vlan 100
description BLOCK C VLAN
ip address 172.16.1.0 255.255.255.0
ip access-group Restrict-ATARI
ip access-list extended Restrict-ATARI
deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222
permit ip any any
02-04-2009 01:33 PM
So, you want to deny access at layer-3 using access-list.right?
Could u please tell in which vlan the Host reside? what 192.168.x.x represent? Do u want to deny access from 172.x subnet toward the host? pls clarify more..
Thanks,
Mohamed
02-04-2009 02:38 PM
User VLan is VLAN 100
Server1 : 192.168.1.222
Server2 : 192.168.1.111
I want to restrict user-vlan 100 from accessing the Server1 && Server2 only and permit others.
{ description in VLAN 100 " BLOCK C VLAN " means Building-C )
02-04-2009 07:18 PM
Access list should be applied nearest the server(s):
access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.111
access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222
permit ip any any
int vlan 100
access group 101 in
02-04-2009 09:57 PM
Thanks for your reply.
I would like to understand what is the technical difference or benefits on applying the ACL near the Server or applying the ACL on User-VLAN.
Appreciate your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: