Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Akbar ali Sultan
Akbar ali Sultan
Community Member
‎06-14-2016 09:52 AM
‎06-14-2016 09:52 AM

how to write ACL to allow only management Server for ACS server?

Dear All

please guide me how can i write ACL to block all other subnets except management server or magmt vlan for ACS server?

ACS server is connected to core switch,  core switch has Vlans 192.168.3.0 - 8.0 network management Vlan is 192.168.2.0 ACS server IP is 192.168.2.17 management server IP is 192.168.2.16 

Everyone's tags (1)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
agapitca19
agapitca19
Community Member
‎06-14-2016 10:31 AM
‎06-14-2016 10:31 AM

Hi,

Hi,

If you want certain ip address(es) to manage ACS, you can do this in ACS by going to System Administration>Administrators>Settings>Access> select Allow only listed IP addresses to connect>Create>Put the ip address(es) that are permitted.

HTH,

***Please rate and mark the comment correct if you find it helpful. Thanks.***

0 Helpful
Reply
4 REPLIES
agapitca19
agapitca19
Community Member
‎06-14-2016 10:31 AM
‎06-14-2016 10:31 AM

Hi,

Hi,

If you want certain ip address(es) to manage ACS, you can do this in ACS by going to System Administration>Administrators>Settings>Access> select Allow only listed IP addresses to connect>Create>Put the ip address(es) that are permitted.

HTH,

***Please rate and mark the comment correct if you find it helpful. Thanks.***

0 Helpful
Reply
Highlighted
Akbar ali Sultan
Akbar ali Sultan
Community Member
‎06-14-2016 04:34 PM
‎06-14-2016 04:34 PM

we have ACS 4.2 version i don

we have ACS 4.2 version i don't know this option available or not, i will update you tomorrow meanwhile if you can tell me can we block access using ACL ?

0 Helpful
Reply
Akbar ali Sultan
Akbar ali Sultan
Community Member
‎06-15-2016 03:08 AM
‎06-15-2016 03:08 AM

Thank you for your great

Thank you for your great reply, its work, now can access only from management server,

but the he problem is. its showing Invalid administrator connection from another subnet is there any way to block from ACL so the traffic wont reach the interface

0 Helpful
Reply
agapitca19
agapitca19
Community Member
‎06-15-2016 05:38 PM
‎06-15-2016 05:38 PM

wow tight security policy.

wow tight security policy.

1. on the switch where the the SVI/vlan interface of the other subnet that you don't want to talk to Secure ACS server, create an extended access list.

    ip access extended [acl name or number]

    deny ip 192.168.3.0 [wildcard mask] host 192.168.2.17

    permit ip any any

2.  apply the acl you created on step 1 inbound to the SVI/vlan interface of the other subnet. For example it is on SVI/vlan interface 7.

     interface vlan 7

     ip access-group [acl name or number] in

3. wr mem

4. Just repeat the same steps above for the other subnets that you don't want to communicate with Secure ACS server. 

HTH

***Please rate and mark the comment correct if you find it helpful. Thanks.***

    

    

0 Helpful
Reply
Latest Documents
Cisco ESW-520-24P Switch Configuration
Created by Kevin DeMott on 04-19-2018 01:49 PM
0
0
0
0
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers.  When we try to change the wiring and configuration, we run in to connectivity issues.  Attached is a des... view more
BGP Conditional Advertisement Feature
Created by Dennis Mink on 03-06-2018 09:17 PM
8
10
8
10
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does   "Th... view more
le router cisco 887 VA-K9 ne diffuse pas les adresses IP au reseau local
Created by mustiman on 03-05-2018 05:53 AM
5
0
5
0
Question   bonjours j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m... view more
All Documents
150
Views
0
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
Glimpse of "EIGRP name mode configuration"
Created by ashirkar on 10-01-2013 02:06 AM
7
74
7
74
What happens, when router receives packet?
Created by ashirkar on 10-18-2012 03:19 AM
31
49
31
49
BLOG (No Title)
Created by Akula Jyoti Lakshmi on 08-09-2011 09:13 PM
15
43
15
43
All Blogs