Solved: Re: ACL

itdsmartnet · ‎12-03-2008

hi, i have different vlans on my network and inter vlan routing is working fine, In vlan 103 there are different servers, i only want certain ips to telnet these server within 103 vlan. how can i do that.

Thanks

Jon Marshall · ‎12-04-2008

Waseem

hosts allowed to telnet to servers = 192.168.5.10, 11

servers that allow telnet = 192.168.5.3, 4

access-list 101 permit host 192.168.5.10 host 192.168.5.3 eq telnet

access-list 101 permit host 192.168.5.10 host 192.168.5.4 eq telnet

access-list 101 permit host 192.168.5.11 host 192.168.5.3 eq telnet

access-list 101 permit host 192.168.5.11 host 192.168.5.4 eq telnet

access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet

access-list 103 permit ip any any

vlan access-map filter_1 10

match ip address 101

action forward

vlan access-map filter_1 20

match ip address 102

action drop

vlan_access-map filter_3 30

match ip address 103

action forward

Jon

View solution in original post

Jon Marshall · ‎12-03-2008

Waseem

Use an outbound acl on the vlan 103 interface eg.

ips allowed to telnet to servers = 192.168.5.10, 11

ips of servers - 172.16.5.3, 4

access-list 101 permit tcp host 192.168.5.10 host 172.16.5.3 eq telnet

access-list 101 permit tcp host 192.168.5.10 host 172.16.5.4 eq telnet

access-list 101 permit tcp host 192.168.5.11 host 172.16.5.3 eq telnet

access-list 101 permit tcp host 192.168.5.11 host 172.16.5.4 eq telnet

access-list 101 deny tcp any host 172.16.5.3 eq telnet

access-list 101 deny tcp any host 17.16.5.4 eq telnet

access-list 101 permit ip any any

Note the last line - without it all other non-telnet traffic going to servers on vlan 103 would be dropped.

int vlan 103

ip access-group 101 out

Jon

itdsmartnet · ‎12-03-2008

hi Jon,

my problem is that i want to restrict user within the same VLAN too. Only certain IP should allow to telnet the servers. That IPs are in the same vlan i.e vlan 103 and the server is also on vlan 103.

thanks

Jon Marshall · ‎12-03-2008

What device are you using as your switch ?

Jon

lejoe.thomas · ‎12-03-2008

Wassem,

Assuming you're using an MLS

For restricting access within the same vlan, you'll need to configure a vlan access-map to restrict access within the same VLAN

For eg, Lets say on vlan 103, you dont want the host 192.168.10.2 to telnet to the server 192.168.10.1

#configure ACLs

access-list 101 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet

access-list 1 permit any

#configure VLAN access-map

#

vlan access-map 10

match ip address 101

action drop

vlan access-map 20

match ip address 1

action forward

#Apply the vlan filter to vlan 103

vlan filter vlan-list 103

HTH

Lejoe

itdsmartnet · ‎12-03-2008

hi Lejoe

my senerio is bit different i only want two ips to telnet the server and rest of the ips to access the server as they do normally. The ips which telnet the server will also access the server for other services.

lejoe.thomas · ‎12-04-2008

Hi Waseem,

In that case, all you have to do is write the appropriate access-list

pesudo code would be

1) Access-list for IPs that require telnet traffic (use extended access-list to specify

traffic type, i.e telnet access), eg: 101

2) Access-list matching all other IPs requiring normal access, eg: 102

#VACL pesudo code

vlan-accessmap XXXXX permit 10

match 101

action forward

vlan-accessmap XXXXX permit 20

match 102

action forward

Because of the implicit deny at the end of VACL, your requirement is achieved.

HTH

Lejoe

itdsmartnet · ‎12-04-2008

hi,

the access-list matching all other traffic i.e "102" will also do telnet, but it should not allowed to telnet. Access list 102 not allowed to telnet but do every thing execpt telnet how can i accomplish this.

Thanks

Jon Marshall · ‎12-04-2008

Waseem

hosts allowed to telnet to servers = 192.168.5.10, 11

servers that allow telnet = 192.168.5.3, 4

access-list 101 permit host 192.168.5.10 host 192.168.5.3 eq telnet

access-list 101 permit host 192.168.5.10 host 192.168.5.4 eq telnet

access-list 101 permit host 192.168.5.11 host 192.168.5.3 eq telnet

access-list 101 permit host 192.168.5.11 host 192.168.5.4 eq telnet

access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet

access-list 103 permit ip any any

vlan access-map filter_1 10

match ip address 101

action forward

vlan access-map filter_1 20

match ip address 102

action drop

vlan_access-map filter_3 30

match ip address 103

action forward

Jon

Jon Marshall · ‎12-04-2008

Waseem

Appreciate the rating but i made a typo so could you change

access-list 102 deny tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet

to

access-list 102 permit tcp 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet

Apologies for that.

Jon

ajagadee · ‎12-03-2008

Hi,

If this is a 6500/7600, then you could use VACL feature to filter traffic within a VLAN. More information in the below URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Regards,

Arul

*Pls rate if it helps*