Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
5
Replies

ACCESS LIST BETWEEN VLANS

jitendra.pipalia
Level 1
Level 1

‎12-13-2008 09:26 PM - edited ‎03-04-2019 12:41 AM

dear all

I have cisco 6500 sw...having multiple VLAN

mY Server VLAN are in HSRP i.e vlan ID 128. and my users VLAN are in GLBP ie vlan ID 192

mY SERER IP ADDRESS VLAN RANGE 128.20.0.0/16

AND USER VLAN 192.168.X.X/24

I want to aCHIVE FOLLOWING

I HAVE ONE SERVER 128.20.0.166 currently all users access able to access directly now i want to block direct access to it .

from my user VLAN

CAN SOME ONE GIUDE ME WHICH TYPE OF ACCESS LIST I HEV TO CREATE WITH COMMAND AND WHERE I HEV TO APLLY TO ACHIVE

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-14-2008 12:47 AM

Hello Jitendra,

there are more ways to achieve what you want.

Your scenario should be:

Servers vlan VL128 ---- SVI_Vlan128 === SVI_Vlan192 --- Clients Vlan Vlan 192

The correct tool is an extended IP ACL that allows to specify a source and destination and L4 information like TCP or UDP and ports.

Let's suppose the server 128.20.0.166 is open on TCP port T

You can apply the ACL inbound on SVI Vlan128:

conf t

access-list 121 deny tcp host 128.20.0.166 eq T 192.168.X.0 0.0.0.255

access-list 121 permit ip any any

where T is only there to represent the service port number.

Notice that the TCP port follows the server: the port used on the clients is dynamically negotiated so it cannot be matched.

! applying the ACL inbound

int vlan 128

ip access-group 121 in

Other choices are possible.

Hope to help

Giuseppe

0 Helpful

jitendra.pipalia
Level 1
Level 1
In response to Giuseppe Larosa

‎12-16-2008 11:10 PM

I have created access list below

ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166

20 permit ip any any

applied to vlan 128 out

i have tried as below

ip access list extented serveracl

10 deny 192.168.1.31 0.0.0.224 host 128.20.0.166

20 permit ip any any

it has blocked for entire 192.168.1.0 range

now tell em wht is my mistake

0 Helpful

viyuan700
Level 5
Level 5
In response to jitendra.pipalia

‎12-17-2008 12:30 AM

"10 deny 192.168.1.31 0.0.0.255 host 128.20.0.166"

If 192.168.1.31 is ur ip then 0.0.0.255 is not correct it shd be 0.0.0.0. Here u r blocking just for 192.168.1.31

If 192.168.1.0 then it can be 0.0.0.255. here u r blocking for all the host on 192.168.1.0 netwok.

0 Helpful

jitendra.pipalia
Level 1
Level 1
In response to viyuan700

‎12-17-2008 12:49 AM

I WANT TO BLOCK FROM RANGE 192.168.1.31 TO 192.168.1.255

BETWEEN 192.168.1.1 TO 192.168.1.30 SHLD ALLOW

0 Helpful

viyuan700
Level 5
Level 5
In response to jitendra.pipalia

‎12-17-2008 12:59 AM

then u can use 192.168.1.0 0.0.0.31

this will allow 192.168.1.1-31 block rest

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card