Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Extented Access-list Problem

I am having trouble getting an extended access to work. I am wanting to apply the ACL to a vlan A. Vlan A needs access to the Internet and a several servers in another valn, vlan B. The problem I am having is how do I allow access to just the DNS,HTTP,and DHCP servers in vlan B and not the rest of the ips in vlan B?

3 REPLIES
Cisco Employee

Re: Extented Access-list Problem

Hello randyclark,

Can you attach topolgy, ip addressing, and requirements, and we can surely assist building acls.

New Member

Re: Extented Access-list Problem

Vlan3 has the DNS,Web Server, DHCP and other servers. Vlan2 will have host that will only need access to the DHCP and DNS servers but not the rest of the host in vlan3. The Internet traffic is on seperate Vlan4. All other subnets on campus are denied.

Vlan 2 -192.168.30.0 (Vlan with host that need limited access)

Vlan 3- 192.168.192.0 (Server Vlan)

Vlan 4---192.168.10.4->Internet

Cisco Employee

Re: Extented Access-list Problem

Hello randyclark,

Conceptually the ACL will look like

access-list 100 permit udp 192.168.30.0 0.0.0.255 host w.x.y.z eq 53(where w.x.y.z = DNS server)

access-list 100 permit tcp 192.168.30.0 0.0.0.255 host w.x.y.z eq 80 (where w.x.y.z = Web server)

access-list 100 permit udp any eq 68 any eq 67

access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.192.0 0.0.0.255

access-list 100 permit ip any any

Looks like you may be able to nail dhcp acl even further. This is the only thing I am not 100% sure about. Take a look at

http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

Hope this helps! If so, please rate.

Thanks

91
Views
0
Helpful
3
Replies
CreatePlease to create content