Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
1
Replies

Catalyst 4507 Access-List question..

bchyka
Level 1
Level 1

‎09-26-2003 05:22 AM - edited ‎03-02-2019 10:37 AM

Hello...i have a question about some access lists on our core switch. we have 10 vlans on our campus with different functions of each. i need to add a access list for vlan 20, which is our IT depts vlan and where all our switches exist. i need a little help so that vlan 20 has access to all other vlans, but the other vlans cant see 20. our server vlan is vlan 30 so 30 may need to see 20 for dhcp, dns, etc. here is our current set of access-lists on our layer 3 blade..

access-list 140 permit ip any 172.16.30.0 0.0.0.255

access-list 140 permit ip any 172.16.90.0 0.0.0.255

access-list 140 permit ip any host 172.16.40.1

access-list 140 permit ip any host 172.16.45.1

access-list 140 permit ip any host 172.16.50.1

access-list 140 permit ip any host 172.16.60.1

access-list 140 permit ip any host 172.16.65.1

access-list 140 permit ip any host 172.16.70.1

access-list 140 permit ip any host 172.16.80.1

access-list 140 deny ip 172.16.45.0 0.0.0.255 any

access-list 140 deny ip 172.16.50.0 0.0.0.255 any

access-list 140 deny ip 172.16.60.0 0.0.0.255 any

access-list 140 deny ip 172.16.65.0 0.0.0.255 any

access-list 140 deny ip 172.16.70.0 0.0.0.255 any

access-list 140 deny ip 172.16.80.0 0.0.0.255 any

access-list 140 permit ip any any

access-list 145 permit ip any 172.16.30.0 0.0.0.255

access-list 145 permit ip any 172.16.90.0 0.0.0.255

access-list 145 permit ip any host 172.16.40.1

access-list 145 permit ip any host 172.16.45.1

access-list 145 permit ip any host 172.16.50.1

access-list 145 permit ip any host 172.16.60.1

access-list 145 permit ip any host 172.16.65.1

access-list 145 permit ip any host 172.16.70.1

access-list 145 permit ip any host 172.16.80.1

access-list 145 deny ip 172.16.40.0 0.0.0.255 any

access-list 145 deny ip 172.16.50.0 0.0.0.255 any

access-list 145 deny ip 172.16.60.0 0.0.0.255 any

access-list 145 deny ip 172.16.65.0 0.0.0.255 any

access-list 145 deny ip 172.16.70.0 0.0.0.255 any

access-list 145 deny ip 172.16.80.0 0.0.0.255 any

access-list 145 permit ip any any

access-list 150 permit ip any 172.16.30.0 0.0.0.255

access-list 150 permit ip any 172.16.90.0 0.0.0.255

access-list 150 permit ip any host 172.16.40.1

access-list 150 permit ip any host 172.16.45.1

access-list 150 permit ip any host 172.16.50.1

access-list 150 permit ip any host 172.16.60.1

access-list 150 permit ip any host 172.16.65.1

access-list 150 permit ip any host 172.16.70.1

access-list 150 permit ip any host 172.16.80.1

access-list 150 deny ip 172.16.40.0 0.0.0.255 any

access-list 150 deny ip 172.16.45.0 0.0.0.255 any

access-list 150 deny ip 172.16.60.0 0.0.0.255 any

access-list 150 deny ip 172.16.65.0 0.0.0.255 any

access-list 150 deny ip 172.16.70.0 0.0.0.255 any

access-list 150 deny ip 172.16.80.0 0.0.0.255 any

access-list 150 permit ip any any

access-list 160 permit ip any 172.16.30.0 0.0.0.255

access-list 160 permit ip any 172.16.90.0 0.0.0.255

access-list 160 permit ip any host 172.16.40.1

access-list 160 permit ip any host 172.16.45.1

access-list 160 permit ip any host 172.16.50.1

access-list 160 permit ip any host 172.16.60.1

access-list 160 permit ip any host 172.16.65.1

access-list 160 permit ip any host 172.16.70.1

access-list 160 permit ip any host 172.16.80.1

access-list 160 deny ip 172.16.40.0 0.0.0.255 any

access-list 160 deny ip 172.16.45.0 0.0.0.255 any

access-list 160 deny ip 172.16.50.0 0.0.0.255 any

access-list 160 deny ip 172.16.65.0 0.0.0.255 any

access-list 160 deny ip 172.16.70.0 0.0.0.255 any

access-list 160 deny ip 172.16.80.0 0.0.0.255 any

access-list 160 permit ip any any

access-list 165 permit ip any 172.16.30.0 0.0.0.255

access-list 165 permit ip any 172.16.90.0 0.0.0.255

access-list 165 permit ip any host 172.16.40.1

access-list 165 permit ip any host 172.16.45.1

access-list 165 permit ip any host 172.16.50.1

access-list 165 permit ip any host 172.16.60.1

access-list 165 permit ip any host 172.16.65.1

access-list 165 permit ip any host 172.16.70.1

access-list 165 permit ip any host 172.16.80.1

access-list 165 deny ip 172.16.40.0 0.0.0.255 any

access-list 165 deny ip 172.16.45.0 0.0.0.255 any

access-list 165 deny ip 172.16.50.0 0.0.0.255 any

access-list 165 deny ip 172.16.60.0 0.0.0.255 any

access-list 165 deny ip 172.16.70.0 0.0.0.255 any

access-list 165 deny ip 172.16.80.0 0.0.0.255 any

access-list 165 permit ip any any

access-list 170 permit ip any 172.16.30.0 0.0.0.255

access-list 170 permit ip any 172.16.90.0 0.0.0.255

access-list 170 permit ip any host 172.16.40.1

access-list 170 permit ip any host 172.16.45.1

access-list 170 permit ip any host 172.16.50.1

access-list 170 permit ip any host 172.16.60.1

access-list 170 permit ip any host 172.16.65.1

access-list 170 permit ip any host 172.16.70.1

access-list 170 permit ip any host 172.16.80.1

access-list 170 deny ip 172.16.40.0 0.0.0.255 any

access-list 170 deny ip 172.16.45.0 0.0.0.255 any

access-list 170 deny ip 172.16.50.0 0.0.0.255 any

access-list 170 deny ip 172.16.60.0 0.0.0.255 any

access-list 170 deny ip 172.16.65.0 0.0.0.255 any

access-list 170 deny ip 172.16.80.0 0.0.0.255 any

access-list 170 permit ip any any

access-list 180 permit ip any 172.16.30.0 0.0.0.255

access-list 180 permit ip any 172.16.90.0 0.0.0.255

access-list 180 permit ip any host 172.16.40.1

access-list 180 permit ip any host 172.16.45.1

access-list 180 permit ip any host 172.16.50.1

access-list 180 permit ip any host 172.16.60.1

access-list 180 permit ip any host 172.16.65.1

access-list 180 permit ip any host 172.16.70.1

access-list 180 permit ip any host 172.16.80.1

access-list 180 deny ip 172.16.40.0 0.0.0.255 any

access-list 180 deny ip 172.16.45.0 0.0.0.255 any

access-list 180 deny ip 172.16.50.0 0.0.0.255 any

access-list 180 deny ip 172.16.60.0 0.0.0.255 any

access-list 180 deny ip 172.16.65.0 0.0.0.255 any

access-list 180 deny ip 172.16.70.0 0.0.0.255 any

access-list 180 permit ip any any

the way it is suppose to be is all other vlans, except 20, 30 and 90 (pix valn) should only be able to see themselves and vlan 30 and 90 but none of the other vlans. any help is greatly appreciated..fairly new to cisco gear.

thanks!

Labels:
0 Helpful
1 Reply 1

vkapoor5
Level 5
Level 5

‎10-01-2003 11:02 AM

It is difficult to build the config without knowing the protocol/port numbers that you are using. To give you an idea, you can configure inbound ACLs on routers or SVIs on the switch for these vlans that permit packets only to networks in vlan 20, 30 and 90. On the router or SVI that connects to VLAN 20, you can allow only response for traffic that originated from vlan 20 and deny others. This will involve knowing the protocol and port numbers to build the extended ACL. For more information, you can refer this link :

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_19/config/secure.htm

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents