Im a little confused on the WWW access part.If i put a statement in such as:

access-list 101 permit tcp any any eq www it allows all the www traffic even from the 10.0.x.x subnet.

i even tried adding:

access-list 101 deny ip 10.0.0.0 0.0.0.255 any

and this did not seem to work. any suggests are greatly appreciated.

Hi Brook,

I did not understand exactly what is your question. Can you clarify it, a little more?

You can not regulate communication between hosts on the same subnet with regular access-list (applied to a L3 interface) because this communication is not going acceross that L3 interface.

You have to use VLAN access-list (VACL). You can read more about VACLs on:

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e70d.html#wp1061021

I hope this will help you.

Best Regards,

Srdja

ok let met explain my goals here (as i am obviously lost)...

I have 3 vlans

Vlan 1 Production Network 10.0.x.x

Vlan 2 DMZ 192.168.1.x

Vlan 3 Public Wireless 192.168.2.x

Vlan 2 needs to communicate with all Web traffic and should only communicate with Vlan to do the following

192.168.1.21 should be able to access 10.0.0.150 on port 25.

similiarly 192.168.1.21 should be able to access 10.0.0.36 on ports 389, 636, 3268, 3269

VLAN 3 should not be able to communicate with any of the other VLANs but should provide full external access (i.e. www, ftp, smtp, etc)

Brook

I suspect that we need to think a bit more carefully about what the requirements are. When we really understand the full set of requirements we will be able to better construct the logic to implement the requirements.

For example you mention some ports that need to communicate but have not specified if these are UDP, are TCP, or are both? You have identified one machine in VLAN2 that should communicate with two hosts (192.168.1.21 should communicate with 10.0.0.150 and 10.0.0.36). Is that host to be able to communicate with any other addresses? Are there any other machines on that VLAN that should be able to communicate with anything? You probably also need to think about whether there are other services such as DNS that they need to access.

Once you have thought through and answered these questions we can start to construct the access lists that will accomplish what you want.

HTH

Rick

Rick,

Thanks so much for the insight. Let me try and clarify

192.168.1.21 needs to be able to go to 10.0.0.150 on tcp port 25 (for smtp)

192.168.1.21 needs to tcp to 10.0.0.36 for tcp ports 389, 636, 3268,3269

the entire 192.168.1.x range needs access to the internet, but should not access anything else in the 10.0.x.x range

the 192.168.2.x should only go to the internet and should not have access to 10.0.x.x or 192.168.1.x

i have constructed this acl and applied it ingress, it seems to work, but i am not sure why it only works ingress, i would think it work for outbound instead.

access-list 101 remark regulate traffic for dmz_192.168.1.x applied in

access-list 101 permit tcp host 192.168.1.21 host 10.0.0.150 eq smtp

access-list 101 permit tcp host 192.168.1.21 host 10.0.0.36 eq 389

access-list 101 permit tcp host 192.168.1.21 host 10.0.0.36 eq 636

access-list 101 permit tcp host 192.168.1.21 host 10.0.0.36 eq 3268

access-list 101 permit tcp host 192.168.1.21 host 10.0.0.36 eq 3269

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.1 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 remark regulate traffic for public_wireless_192.168.2.x applied in

access-list 102 deny ip 192.168.2.0 0.0.0.255 10.0.0.1 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

vlan 2

ip access-group 101 in

vlan 3

ip access-group 102 in

thanks for the help again, let me know what you think.

Brook

I agree with you that if access list is specifying 192.168.1.0 as the source address (which it does) and is applied inbound to interface vlan2 that it would logically be an outbound filter. Are you saying that you have tested it and it does prevent 192.168.1.x stations from accessing 10.0.0.0 and 192.168.2.0 addresses?

HTH

Rick

the access list works perfect when applied as ip access-group 101 in....

I am curious though why its working, since im specifying it as in and the traffic originates at 192.168.1.0 to 10.0.0.150 shouldnt it logically go the other way around in the statement?