09-26-2003 05:22 AM - edited 03-02-2019 10:37 AM
Hello...i have a question about some access lists on our core switch. we have 10 vlans on our campus with different functions of each. i need to add a access list for vlan 20, which is our IT depts vlan and where all our switches exist. i need a little help so that vlan 20 has access to all other vlans, but the other vlans cant see 20. our server vlan is vlan 30 so 30 may need to see 20 for dhcp, dns, etc. here is our current set of access-lists on our layer 3 blade..
access-list 140 permit ip any 172.16.30.0 0.0.0.255
access-list 140 permit ip any 172.16.90.0 0.0.0.255
access-list 140 permit ip any host 172.16.40.1
access-list 140 permit ip any host 172.16.45.1
access-list 140 permit ip any host 172.16.50.1
access-list 140 permit ip any host 172.16.60.1
access-list 140 permit ip any host 172.16.65.1
access-list 140 permit ip any host 172.16.70.1
access-list 140 permit ip any host 172.16.80.1
access-list 140 deny ip 172.16.45.0 0.0.0.255 any
access-list 140 deny ip 172.16.50.0 0.0.0.255 any
access-list 140 deny ip 172.16.60.0 0.0.0.255 any
access-list 140 deny ip 172.16.65.0 0.0.0.255 any
access-list 140 deny ip 172.16.70.0 0.0.0.255 any
access-list 140 deny ip 172.16.80.0 0.0.0.255 any
access-list 140 permit ip any any
access-list 145 permit ip any 172.16.30.0 0.0.0.255
access-list 145 permit ip any 172.16.90.0 0.0.0.255
access-list 145 permit ip any host 172.16.40.1
access-list 145 permit ip any host 172.16.45.1
access-list 145 permit ip any host 172.16.50.1
access-list 145 permit ip any host 172.16.60.1
access-list 145 permit ip any host 172.16.65.1
access-list 145 permit ip any host 172.16.70.1
access-list 145 permit ip any host 172.16.80.1
access-list 145 deny ip 172.16.40.0 0.0.0.255 any
access-list 145 deny ip 172.16.50.0 0.0.0.255 any
access-list 145 deny ip 172.16.60.0 0.0.0.255 any
access-list 145 deny ip 172.16.65.0 0.0.0.255 any
access-list 145 deny ip 172.16.70.0 0.0.0.255 any
access-list 145 deny ip 172.16.80.0 0.0.0.255 any
access-list 145 permit ip any any
access-list 150 permit ip any 172.16.30.0 0.0.0.255
access-list 150 permit ip any 172.16.90.0 0.0.0.255
access-list 150 permit ip any host 172.16.40.1
access-list 150 permit ip any host 172.16.45.1
access-list 150 permit ip any host 172.16.50.1
access-list 150 permit ip any host 172.16.60.1
access-list 150 permit ip any host 172.16.65.1
access-list 150 permit ip any host 172.16.70.1
access-list 150 permit ip any host 172.16.80.1
access-list 150 deny ip 172.16.40.0 0.0.0.255 any
access-list 150 deny ip 172.16.45.0 0.0.0.255 any
access-list 150 deny ip 172.16.60.0 0.0.0.255 any
access-list 150 deny ip 172.16.65.0 0.0.0.255 any
access-list 150 deny ip 172.16.70.0 0.0.0.255 any
access-list 150 deny ip 172.16.80.0 0.0.0.255 any
access-list 150 permit ip any any
access-list 160 permit ip any 172.16.30.0 0.0.0.255
access-list 160 permit ip any 172.16.90.0 0.0.0.255
access-list 160 permit ip any host 172.16.40.1
access-list 160 permit ip any host 172.16.45.1
access-list 160 permit ip any host 172.16.50.1
access-list 160 permit ip any host 172.16.60.1
access-list 160 permit ip any host 172.16.65.1
access-list 160 permit ip any host 172.16.70.1
access-list 160 permit ip any host 172.16.80.1
access-list 160 deny ip 172.16.40.0 0.0.0.255 any
access-list 160 deny ip 172.16.45.0 0.0.0.255 any
access-list 160 deny ip 172.16.50.0 0.0.0.255 any
access-list 160 deny ip 172.16.65.0 0.0.0.255 any
access-list 160 deny ip 172.16.70.0 0.0.0.255 any
access-list 160 deny ip 172.16.80.0 0.0.0.255 any
access-list 160 permit ip any any
access-list 165 permit ip any 172.16.30.0 0.0.0.255
access-list 165 permit ip any 172.16.90.0 0.0.0.255
access-list 165 permit ip any host 172.16.40.1
access-list 165 permit ip any host 172.16.45.1
access-list 165 permit ip any host 172.16.50.1
access-list 165 permit ip any host 172.16.60.1
access-list 165 permit ip any host 172.16.65.1
access-list 165 permit ip any host 172.16.70.1
access-list 165 permit ip any host 172.16.80.1
access-list 165 deny ip 172.16.40.0 0.0.0.255 any
access-list 165 deny ip 172.16.45.0 0.0.0.255 any
access-list 165 deny ip 172.16.50.0 0.0.0.255 any
access-list 165 deny ip 172.16.60.0 0.0.0.255 any
access-list 165 deny ip 172.16.70.0 0.0.0.255 any
access-list 165 deny ip 172.16.80.0 0.0.0.255 any
access-list 165 permit ip any any
access-list 170 permit ip any 172.16.30.0 0.0.0.255
access-list 170 permit ip any 172.16.90.0 0.0.0.255
access-list 170 permit ip any host 172.16.40.1
access-list 170 permit ip any host 172.16.45.1
access-list 170 permit ip any host 172.16.50.1
access-list 170 permit ip any host 172.16.60.1
access-list 170 permit ip any host 172.16.65.1
access-list 170 permit ip any host 172.16.70.1
access-list 170 permit ip any host 172.16.80.1
access-list 170 deny ip 172.16.40.0 0.0.0.255 any
access-list 170 deny ip 172.16.45.0 0.0.0.255 any
access-list 170 deny ip 172.16.50.0 0.0.0.255 any
access-list 170 deny ip 172.16.60.0 0.0.0.255 any
access-list 170 deny ip 172.16.65.0 0.0.0.255 any
access-list 170 deny ip 172.16.80.0 0.0.0.255 any
access-list 170 permit ip any any
access-list 180 permit ip any 172.16.30.0 0.0.0.255
access-list 180 permit ip any 172.16.90.0 0.0.0.255
access-list 180 permit ip any host 172.16.40.1
access-list 180 permit ip any host 172.16.45.1
access-list 180 permit ip any host 172.16.50.1
access-list 180 permit ip any host 172.16.60.1
access-list 180 permit ip any host 172.16.65.1
access-list 180 permit ip any host 172.16.70.1
access-list 180 permit ip any host 172.16.80.1
access-list 180 deny ip 172.16.40.0 0.0.0.255 any
access-list 180 deny ip 172.16.45.0 0.0.0.255 any
access-list 180 deny ip 172.16.50.0 0.0.0.255 any
access-list 180 deny ip 172.16.60.0 0.0.0.255 any
access-list 180 deny ip 172.16.65.0 0.0.0.255 any
access-list 180 deny ip 172.16.70.0 0.0.0.255 any
access-list 180 permit ip any any
the way it is suppose to be is all other vlans, except 20, 30 and 90 (pix valn) should only be able to see themselves and vlan 30 and 90 but none of the other vlans. any help is greatly appreciated..fairly new to cisco gear.
thanks!
10-01-2003 11:02 AM
It is difficult to build the config without knowing the protocol/port numbers that you are using. To give you an idea, you can configure inbound ACLs on routers or SVIs on the switch for these vlans that permit packets only to networks in vlan 20, 30 and 90. On the router or SVI that connects to VLAN 20, you can allow only response for traffic that originated from vlan 20 and deny others. This will involve knowing the protocol and port numbers to build the extended ACL. For more information, you can refer this link :
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_19/config/secure.htm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: