Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Creating access list in 3750

Hello,

I have the Vlan configuration similar to this .We have hosted very critical servers in Vlan2 and these servers should be accessible for the users in Vlan2 only not from other Vlan users.I want to create a access list in such a way that , users in other Vlan's should not able to access the severs in Vlan 2.

Thanks

Raju

interface Vlan1

ip address 10.1.0.24 255.255.0.0

standby preempt

standby 1 ip 10.1.0.25

standby 1 priority 110

!

interface Vlan2

ip address 10.44.2.1 255.255.255.0

description **** Business ctitical servers ###

!

interface Vlan3

ip address 10.44.3.2 255.255.255.0

standby preempt

standby 3 ip 10.44.3.1

standby 3 priority 110

!

interface Vlan4

description **** Operation dept ****

ip address 10.44.4.2 255.255.255.0

ip helper-address 10.44.20.50

standby preempt

standby 4 ip 10.44.4.1

standby 4 priority 110

!

interface Vlan5

description ### Servers Vlan ###

ip address 10.44.1.2 255.255.255.0

standby preempt

standby 5 ip 10.44.1.1

standby 5 priority 110

!

interface Vlan6

description ***IMPLEMENTATION VLAN***

ip address 10.44.6.2 255.255.255.0

ip helper-address 10.44.20.50

standby preempt

standby 6 ip 10.44.6.1

standby 6 priority 110

!

interface Vlan7

ip address 10.44.7.1 255.255.255.0

!

interface Vlan8

ip address 10.44.8.1 255.255.255.0

!

interface Vlan9

ip address 10.44.9.2 255.255.255.0

standby preempt

standby 9 ip 10.44.9.1

standby 9 priority 110

!

interface Vlan10

ip address 10.44.10.1 255.255.255.0

!

interface Vlan11

description ***TRAINING VLAN ***

ip address 10.44.11.2 255.255.255.0

ip helper-address 10.44.20.50

ip accounting output-packets

standby preempt

standby 11 ip 10.44.11.1

standby 11 priority 110

interface Vlan20

description ***TI-VLAN***

ip address 10.44.20.2 255.255.255.0

ip helper-address 10.44.20.50

standby preempt

standby 20 ip 10.44.20.1

standby 20 priority 110

6 REPLIES
Silver

Re: Creating access list in 3750

Do you mean the server in VLAN 2 will be accessed by user in VLAN only ? But at the same time, will there any applicaton to access VLAN 2 server or user ? e.g. backup application. or will user in VLAN 2 to access outside VLAN2 ? e.g. Internet ?

If there is no other application, server to access to VLAN2. Then you can simple to exclude the L3 address for VLAN 2 and the routing table then to leave it as L2 VLAN only.

If only the VLAN 2 server do not allow to be accessed from VLAN other than VLAN 2 then simple remove the default-gateway in server that the server will not able to communicate outside its subnet. i.e. not able to find the next-hop for non-local subnet.

But please ensure that this is what you want or please provide more condition for considersation.

Hope this helps.

New Member

Re: Creating access list in 3750

Thanks Jack. I can't have Layer2 Vlan for Vlan2 in 3750 . It has to have the gateway and I can't remove the gateway in the server side also.My requirement is, users in other Vlan's should not able to access (deny) to servers(10.44.2.200, 10.44.2.150) in

Vlan 2.

Regards,

Raju

Re: Creating access list in 3750

Hi,

Do you need to block the access to only two servers which you specified [10.44.2.200 and 10.44.2.150] or to all the servers???

If you need to deny the traffic only to the above mentioned servers, then try using the following ACL:

ip access-list extended SERVER_ACL

deny ip any host 10.44.2.200

deny ip any host 10.44.2.150

interface vlan 2

ip access-group SERVER_ACL in

Please let us know what exactly do you want?

Hope this helps.

Regards,

AbhisheK

Please rate all posts!

New Member

Re: Creating access list in 3750

Thanks Abhishek.

Earlier I wanted to block access to only those servers. Now , I want to block for all hosts in that vlan (10.44.2.0 /255.255.255.0) from other Vlan's .

Thanks

Re: Creating access list in 3750

Hall of Fame Super Gold

Re: Creating access list in 3750

As others have pointed out to be able to suggest the correct solution it is important that we understand the real and complete set of requirements. You have said that the requirement is that no one in any other VLAN should access the servers in VLAN 2. You have not told us whether servers are the only devices in VLAN 2 or whether there are some other devices in VLAN 2 which might need access. You have not told us whether there is a requirement for anything outside to be able to access the servers. And you have not told us whether the servers need to access anything outside of VLAN 2 (do they need web access outside, do they need DNS outside, do they need patches from outside, do they need data updates from outside)?

If you can help us understand the full requirements then we can suggest a better solution.

From your general description which sounds like nothing from outside VLAN 2 should access resources inside VLAN 2 you could try something like this:

access-list 150 deny ip any any

interface vlan 2

ip access-group 150 out

That will prevent any traffic from an outside address from being forwarded into vlan 2.

HTH

Rick

162
Views
0
Helpful
6
Replies
CreatePlease to create content