Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACCESS LIST BETWEEN VLANS

dear all

I have cisco 6500 sw...having multiple VLAN

mY Server VLAN are in HSRP i.e vlan ID 128. and my users VLAN are in GLBP ie vlan ID 192

mY SERER IP ADDRESS VLAN RANGE 128.20.0.0/16

AND USER VLAN 192.168.X.X/24

I want to aCHIVE FOLLOWING

I HAVE ONE SERVER 128.20.0.166 currently all users access able to access directly now i want to block direct access to it .

from my user VLAN

CAN SOME ONE GIUDE ME WHICH TYPE OF ACCESS LIST I HEV TO CREATE WITH COMMAND AND WHERE I HEV TO APLLY TO ACHIVE

5 REPLIES
Hall of Fame Super Silver

Re: ACCESS LIST BETWEEN VLANS

Hello Jitendra,

there are more ways to achieve what you want.

Your scenario should be:

Servers vlan VL128 ---- SVI_Vlan128 === SVI_Vlan192 --- Clients Vlan Vlan 192

The correct tool is an extended IP ACL that allows to specify a source and destination and L4 information like TCP or UDP and ports.

Let's suppose the server 128.20.0.166 is open on TCP port T

You can apply the ACL inbound on SVI Vlan128:

conf t

access-list 121 deny tcp host 128.20.0.166 eq T 192.168.X.0 0.0.0.255

access-list 121 permit ip any any

where T is only there to represent the service port number.

Notice that the TCP port follows the server: the port used on the clients is dynamically negotiated so it cannot be matched.

! applying the ACL inbound

int vlan 128

ip access-group 121 in

Other choices are possible.

Hope to help

Giuseppe

New Member

Re: ACCESS LIST BETWEEN VLANS

I have created access list below

ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166

20 permit ip any any

applied to vlan 128 out

i have tried as below

ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.224 host 128.20.0.166

20 permit ip any any

it has blocked for entire 192.168.1.0 range

now tell em wht is my mistake

Silver

Re: ACCESS LIST BETWEEN VLANS

"10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166"

If 192.168.1.31 is ur ip then 0.0.0.255 is not correct it shd be 0.0.0.0. Here u r blocking just for 192.168.1.31

If 192.168.1.0 then it can be 0.0.0.255. here u r blocking for all the host on 192.168.1.0 netwok.

New Member

Re: ACCESS LIST BETWEEN VLANS

I WANT TO BLOCK FROM RANGE 192.168.1.31 TO 192.168.1.255

BETWEEN 192.168.1.1 TO 192.168.1.30 SHLD ALLOW

Silver

Re: ACCESS LIST BETWEEN VLANS

then u can use 192.168.1.0 0.0.0.31

this will allow 192.168.1.1-31 block rest

223
Views
0
Helpful
5
Replies
CreatePlease to create content