VLAN ACL Configuration Help.

I have a Cisco 4503 switch with Catalyst 2960G attached to it.  I also have 2 different VLAN's that I want to use ACL's to control traffic.  

Server VLAN 10
Client Computer VLAN 15

I want to allow VLAN 15 access to the VLAN 10 with access to only the following ports (TCP and UDP): 80, 443, 53, 3389, 1494, 135 - 139
*ANY access to IP 10.0.0.4
*LDAP access to IP 10.0.0.2
*LDAP access to IP 10.0.0.5
*Kerberos access to IP 10.0.0.2
*Kerberos access to IP 10.0.0.5

I'm not sure what commands to use to create this config.  Thanks for the help!
SihleInsAsked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:



On VLAN 10 add:  

ip access-group 100 in



And the access group would look like

access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit tcp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139

access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 80
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 443
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 53
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 3389
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 1494
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 135
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 136
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 137
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 138
access-list 100 permit udp <IP subnet of vlan 15>  <MAsk>  <IPSUbnet of vlan 10> <Mask> eq 139



For the rest of these, I assumed the IP's were hosts in the VLAN 10 server subnet.  

access-list 100 permit ip any host 10.0.0.4

Note: Ldap uses 636 or 389 depending on whether or not its a secure channel
access-list 100 permit tcp any host 10.0.0.2 eq 636
access-list 100 permit tcp any host 10.0.0.5 eq 636
access-list 100 permit tcp any host 10.0.0.2 eq 389
access-list 100 permit tcp any host 10.0.0.5 eq 389

Note: according to http://support.microsoft.com/kb/832017   Kerberos requires tcp udp 88
access-list 100 permit tcp any host 10.0.0.2 eq 88
access-list 100 permit tcp any host 10.0.0.5 eq 88

access-list 100 permit udp any host 10.0.0.2 eq 88
access-list 100 permit udp any host 10.0.0.5 eq 88





And I think that would cover it.    


access-list 100 permit ip
0
 
MikeKaneCommented:
Opps - I left that last line in there - you dont need it.  
access-list 100 permit ip
0
 
SihleInsAuthor Commented:
Thanks for your help.  I would assume that there is always a deny all at the end which means I would have to add these same commands to the ACL for additonal VLAN to have to VLAN 10.  Is that correct?  email me back at WPlotkin@Sihle.com
0
 
MikeKaneCommented:
This is filtering inbound to vlan 10 so you would need to add new lines if you had additonal subnet to allow into vlan 10.....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.