Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL restriction on switched network

Hi gents,

Which type of ACL should i use to get some ip subnets in restricted L2(swithed) environments?

I cant use mac ACL, as i have a lot hosts.Can't use VLAN ACL either.There are

some restrictions.

thanks

Leo

5 REPLIES
Hall of Fame Super Blue

Re: ACL restriction on switched network

Leo

Could you clarify what you are trying to do exactly.

Jon

New Member

Re: ACL restriction on switched network

I have SwitchA connected to SwitchB.

They connected to each other through switched port (access port)vlan 20.

There are a some servers in Vlan20 connected to SwitchB

SWitchB has the route to ISP.

SwitchA- Interface Vlan 20

ip address 10.20.0.1

default gateway - 10.20.0.254

SwitchB - Interface Vlan 20

IP address 10.20.0.254

default gateway - Internet Gateway

SwitchA has vlan16 - 10.16.0.0

Hosts from this subnet access the internet through SwithB and then SwithA.(and also can see servers in vlan 20)

SwitchB- doesn't have vlan 16

It has has onlu back route to that subnet.

How can i restrict 10.16.0.0 access to 10.20.0.0 servers?

Outbound ACL on interface Vlan20 SWitchB?

thanks?

New Member

Re: ACL restriction on switched network

Sorry...Correction.

Hosts from this subnet access the internet through SwithA and then SwithB.(and also can see servers in vlan 20)

Outbound ACL on interface Vlan20 SwitchA?

Hall of Fame Super Blue

Re: ACL restriction on switched network

Hi Leo

Do you have an SVI on switch A or vlan 16 then ? I guess you must be. You could apply the following acl on vlan 16 on switch A

access-list filter deny ip 10.16.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list filter permit ip 10.16.0.0 255.255.0.0 any

On vlan 16 interface

ip access-group filter in

The destination network from the 10.16.x.x hosts will be always be allowed unless it is going to a 10.20.x.x address.

If there are some addresses in the 10.20.x.x range that you want access to from 10.16.x.x clients you could add those to the top of the access-list.

HTH

Jon

New Member

Re: ACL restriction on switched network

Hi, apply extended ACL on vlan 20 interface as inbound & define 10.16.0.0 as source & destination 10.20.0.0.

If it helps do rate it.

Ninja

130
Views
0
Helpful
5
Replies
CreatePlease to create content