cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
0
Helpful
11
Replies

Blocking access to a specific host

ronald.ramzy
Level 1
Level 1

Hi,

I have point-2-point link between our branch office to head-quarter...

We want to block access to a specific hosts at Head-Quarter from Branch-office.

But we have multiple VLANS at Branch-office

How could we block access to this host ??? The Host is a Server [Two Servers ]

11 Replies 11

pstebner10
Level 1
Level 1

You can put an acl in place on your edge interface denying traffic to those hosts. For example, if you have a PIX/ASA, you could do:

access-list outside_in extended deny ip any host

access-list outside_in extended deny ip any host

access-group outside_in in interface outside

HTH,

Paul

its a 3550 switch

to start with I need 3 VLANS to block these hosts.

what command is required on the VLAN to block these hosts.

Ronald-

Are you using the 3550 in Layer3 mode? What is the topology on each end?

Paul

3550 is on Layer3 Mode.

Any advice.

Ronald-

You can apply an access-list to the uplink port of the 3550. I assume that you have the uplink at L3 and the rest as switchports since you mentioned 3 VLANs. Can you post your config?

Paul

Mohamed Sobair
Level 7
Level 7

Hi,

U can do that by configuring the following on the Switchport:

"Switchport mode protected", this will eleminate access to the host reside on the port.

HTH

Mohamed

Users are located on Different location in the Building so I feel restricting on trunks are not easy....

Mohammed please ellaborate more on Swithcport mode protected... how to configure this for my scenario.....

Kindly advice on the config

The Vlan I wanna restrict is

VLAN 100

int vlan 100

description BLOCK C VLAN

ip address 172.16.1.0 255.255.255.0

ip access-group Restrict-ATARI

ip access-list extended Restrict-ATARI

deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222

permit ip any any

Mohamed Sobair
Level 7
Level 7

So, you want to deny access at layer-3 using access-list.right?

Could u please tell in which vlan the Host reside? what 192.168.x.x represent? Do u want to deny access from 172.x subnet toward the host? pls clarify more..

Thanks,

Mohamed

User VLan is VLAN 100

Server1 : 192.168.1.222

Server2 : 192.168.1.111

I want to restrict user-vlan 100 from accessing the Server1 && Server2 only and permit others.

{ description in VLAN 100 " BLOCK C VLAN " means Building-C )

Access list should be applied nearest the server(s):

access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.111

access-list 101 deny ip 172.16.1.0 0.0.0.255 host 192.168.1.222

permit ip any any

int vlan 100

access group 101 in

Thanks for your reply.

I would like to understand what is the technical difference or benefits on applying the ACL near the Server or applying the ACL on User-VLAN.

Appreciate your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: