Thanks very much, Jon. That was exactly the answer we were looking for.

Glad to have helped.

I used to work with the original poster and I need to add another host to the above acl. I simply added the extra lines:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

But I can't get it to work and can't seem to find an answer online anywhere that makes sense to me.

We do not have very much to work with here. When you say that you added extra lines does that mean that you went into config mode and input the lines shown in your post? If so than probably the issue is that IOS adds additional lines to an existing access list at the bottom of the existing access list. And since the existing access list ended with permit ip any any, then any lines that you add below that will have no effect.

If that does not seem to explain your issue then I suggest that you post the relevant parts of the configuration as it exists. And a better explanation of what is not working would also help. Is the issue that no one can get to host 10.10.10.200? Or is the issue that everyone can get to that host? Or what is not working as you expect it to?

HTH

Rick

Hi,

The sequence of the access-list statements is important.

Could you please show the sequence of the statements?

Regards, Rahul.

I deleted the existing acl and added this:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.100

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

int vlan 10 (10.10.10.0/24)

ip access-group 101 out

I was able to reach 10.10.10.100 from a restricted IP but not 10.10.10.200

Thanks for the additional information. Deleting the existing access list and then creating it again with the added statements is the correct way to change it. From a syntax perspective I would say that your access list is correct. So my next question is which restricted IP are you testing from? And is your test using the same restricted IP to access both of the servers?

The overall approach of Jon's access list is certainly correct. You want to permit the specific hosts that can access the server, then you need to deny all other access to the server, and then you need to permit everything else. But there is a significant flaw in its detailed implementation.  The source addresses are in subnet 10.10.10 and the server destination is also in subnet 10.10.10. This means that the sources and the destinations are all locally connected. And we do not have any capability to restrict connections within the local subnet..

The approach that Jon suggests works well if the source addresses are in remote subnets and are attempting to access the server through the VLAN interface where the access list is applied. This access we can control very well with the access list. So my question to you now becomes are you testing from a device that is outside of the 10.10.10 subnet or from a device that is in the 10.10.10 subnet?

HTH

Rick