Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Restrict Access

I'm trying to restict access between these two VLAN's the design is simple, just restrict anything (IP) in the 10.1.20.X range from getting to the 10.1.10.X range. I've been toying with reflexive's but cannot seem to get it to work.

interface Vlan10

description **Staff**

ip address 10.1.10.1 255.255.255.0

ip helper-address 10.1.3.2

!

interface Vlan20

description **Students1**

ip address 10.1.20.1 255.255.254.0

ip access-group student2staff in

ip helper-address 10.1.3.2

ip access-list extended staff2student

permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255 reflect staffreturn

permit ip any any

ip access-list extended student2staff

permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255

evaluate staffreturn

permit icmp 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255 echo-reply

deny ip 10.1.20.0 0.0.1.255 10.254.0.0 0.0.255.255

deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255

deny ip 10.1.20.0 0.0.1.255 10.250.0.0 0.0.255.255

permit ip any any

8 REPLIES
Silver

Re: Restrict Access

interface Vlan20

description **Students1**

ip address 10.1.20.1 255.255.254.0

Please check the subnet mask.

regards

shivlu

New Member

Re: Restrict Access

What do you see wrong with the subnet mask? The students subnet needs to be 10.1.20.0 - 10.1.21.254

Green

Re: Restrict Access

So you want to block traffic from students to staff. Do you want there to be any communication from the staff to students?

New Member

Re: Restrict Access

nothing should be blocked from staff to students

Re: Restrict Access

Since the ACL is one-way, so many statements are not req. Simply:

ip access-list extended student2staff

deny ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.1.255

permit ip any any

Green

Re: Restrict Access

That would work but I assume this is a switch which is not stateful. Therefore if staff tried to contact students, the return traffic from the students would be blocked by the deny line in the acl. And it would actually be...

ip access-list extended student2staff

deny ip 10.1.20.0 0.0.1.255 10.1.10.0 0.0.0.255

permit ip any any

Re: Restrict Access

Since the ACL is inbound on student vlan, it wud chk only traffic originated by tht vlan. SInce there is no acl outbound on this vlan, all traffic towards students shud flow without hampering.

Green

Re: Restrict Access

The definition of inbound in this case is really inbound to a student vlan port. Therefore any traffic originating from a student machine would be checked against this acl, including replies from traffic originated by staff.

151
Views
0
Helpful
8
Replies
CreatePlease to create content