how i can ristrich the traffic on a vlan for specific ip addresses?

EidMajdi
EidMajdi used Ask the Experts™
on
I want to strict 1 vlan to reach and access 3 ips only, i have a cisco switch,
when i apply the access list its deny and block evrything:

Extended IP access list VLN61
    37 deny tcp any any eq 22
    40 deny tcp any any eq 3389
    45 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230 (327 matches)
    50 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231 (264 matches)
    55 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232 (516 matches)

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Don JohnstonInstructor
Top Expert 2015

Commented:
What model switch? How is the ACL applied?

Please post your configuration.

Author

Commented:
the switch is WS-C4510R , the access list applied on the vlan interface itself.
Don JohnstonInstructor
Top Expert 2015

Commented:
Please post your configuration.
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

What direction is it applied?

Author

Commented:
i tried both direction in and out,

interface Vlan61
 ip address 10.20.61.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 61 ip 10.20.61.254
 standby 61 priority 110
 standby 61 preempt


ip access-list extended VLN61
 deny   tcp any any eq 22
 deny   tcp any any eq 3389
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232

Commented:
Try to re-write it this way

ip access-list extended VLN61
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232
 deny   tcp any any eq 22
 deny   tcp any any eq 3389
 permit ip any any

Author

Commented:
Thanks for the reply. i want them only to reach the 3 ips mentioned only and anything else blocked

Commented:
yes..the permit any any is needed since you already stated a deny statement, if you are putting a deny statement the permit any any is required

Author

Commented:
okays thanks, what is better to apply it IN side or OUR side?
Commented:
on the VLAN interface and it is IN
Don JohnstonInstructor
Top Expert 2015

Commented:
The permit any any at the end is not needed unless you want to allow all traffic except TCP port 22 and 3389.

Author

Commented:
its not working , its allowing them to see other ip addresses
Don JohnstonInstructor
Top Expert 2015

Commented:
Please define "see" (other ip addresses).

What, exactly, are you trying to accomplish with your ACL?

Author

Commented:
well what i want with this access list to block all traffic and ports to this vlan onlly allow them to reach my ISA and DNS's, i want to seperat them from my internal network and servers, i dont want them to telnet or remote access anything inside my network only browsing.
Don JohnstonInstructor
Top Expert 2015

Commented:
>well what i want with this access list to block all traffic and ports to this vlan onlly allow them to reach my ISA and DNS's

ISA for what type of traffic? Extended ACLs can be very specific. Do you want to only allow web traffic?

Is the DNS also being done on your server or are you using an external DNS?

Author

Commented:
ISA for browsing, DNS are local server

ISA Server IP : 10.32.209.232

Primary DNS : 10.32.209.230
Secondary DNS : 10.32.209.231

Commented:
I've tried to simulate this on the packet tracer, and the access-list is only like this.

ip access-list extended ACLVLN61
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232

the rest is implicit deny.

I add one more host 10.32.209.233 for the ACL testing. I put those IPs (10.32.209.230 - .233) as web server and the result is only those 3 web servers can be accessed, the IP .233 can't be accessed at all

Here's the core switch configuration that I made


CORE#sh run
Building configuration...

Current configuration : 1485 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CORE
!
!
interface FastEthernet0/1
 switchport trunk allowed vlan 61
 switchport mode trunk
!
interface FastEthernet0/2
 switchport trunk allowed vlan 209
 switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan61
 ip address 10.20.61.1 255.255.255.0
 ip access-group ACLVLN61 in
!
interface Vlan209
 ip address 10.32.209.1 255.255.255.0
!
ip classless
!
!
ip access-list extended ACLVLN61
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232
!
!
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

Here are some screenshots of the PC to the servers
PT-Demo.JPG
PC0-1.JPG
PC0-2.JPG
PC0-3.JPG
PC0-4.JPG
PC0-w1.JPG
PC0-w2.JPG
PC0-w3.JPG
PC0-w4.JPG

Author

Commented:
Thanks and appreciate your effort, but still not working they are able to make remote desktop to some other serves and telnet so some switches and router.

Commented:
maybe it will be helpful if you post your topology and the configuration, so we can analyze it all

Author

Commented:
Okays,

Here is my configuration for my core switch, the idea is basically this VLAN is dedicated for Guests, i want them only to brows my internet only and nothing else, i dont want them to be able do remote desktop or tenlnet, or see anything else from my network.

SCC00DC451001#show runn
Building configuration...

Current configuration : 24890 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
!
hostname SCC00DC451001
!
boot-start-marker
boot system flash cat4000-i9k91s-mz.122-25.EWA14.bin
boot-end-marker
!
!
redundancy
 mode sso
logging buffered 4097 debugging
enable secret 5 $1$uJAR$c7ODDVahLffH2q00SeqZT/
!
username cadmin privilege 15 password 7 05260C4B6058470A14
aaa new-model
!
aaa session-id common
clock timezone utc 3
qos dbl
qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4
qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4
qos map cos 3 to dscp 26
qos map cos 5 to dscp 46
qos
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!
!
!
vlan internal allocation policy ascending
!
policy-map autoqos-voip-policy
  class class-default
    dbl
!
!
interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/1
 description Giga Link to CORE-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no snmp trap link-status
 channel-group 1 mode desirable
!
interface GigabitEthernet1/2
 description Giga Link to CORE-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no snmp trap link-status
 channel-group 1 mode desirable
!
interface GigabitEthernet3/1
 description Giga UpLink to Ground floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet3/2
 description Giga UpLink to Ground floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet3/3
 description Giga UpLink to 1ST floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet3/4
 description Giga UpLink to 1ST floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet3/5
 description Giga UpLink to 2ND floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet3/6
 description Giga UpLink to 2ND floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/1
 description Giga UpLink to 3RD floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/2
 description Giga UpLink to 3RD floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust dscp
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/3
 description Giga UpLink to 4TH floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/4
 description Giga UpLink to 4TH floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/5
 description Giga UpLink to 5TH floor SW-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet4/6
 description Giga UpLink to 5TH floor SW-2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
!
interface GigabitEthernet5/1
 description connected to server-sw
 switchport trunk encapsulation dot1q
 switchport mode trunk
 load-interval 30
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet5/2
 description TRUNK FROM wireless Controller
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 1000
 duplex full
 no snmp trap link-status
!
interface GigabitEthernet5/3
 no switchport
 no ip address
 no snmp trap link-status
!
interface GigabitEthernet5/4
 description callmanager_Publisher
 switchport access vlan 200
 switchport mode access
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
!
interface GigabitEthernet5/5
 description callmanager_Subscriber
 switchport access vlan 200
 switchport mode access
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
!
interface GigabitEthernet5/6
 description Voice_gateway
 switchport access vlan 200
 switchport mode access
 service-policy output autoqos-voip-policy
 qos trust cos
 no snmp trap link-status
 auto qos voip trust
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
!
interface GigabitEthernet5/7
 no snmp trap link-status
!
interface GigabitEthernet5/8
 description TapeLibrary 10.32.209.251
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/9
 description SQL
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/10
 description SQL
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/11
 description IDP-Primary MGT (MGT on IDP-1) Intf
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/12
 description IDP-Secondary MGT (MGT on IDP-2) Intf
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/13
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/14
 no snmp trap link-status
!
interface GigabitEthernet5/15
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/16
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/17
 description NAC-MGR-PRIMARY Management Port
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/18
 description NAC-SERVER-PRIMARY ETH0 (TRUSTED PORT) VLAN 701
 switchport access vlan 701
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/19
 description NAC-SERVER-PRIMARY ETH1 (UNTRUSTED PORT) VLAN 702
 switchport access vlan 702
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/20
 description MARS CONNECTIVITY
 switchport access vlan 700
 switchport mode access
 speed 1000
 duplex full
 no snmp trap link-status
!
interface GigabitEthernet5/21
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/22
 switchport access vlan 700
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/23
 description ### TRUNK CONNECTED TO TRUST ###
 switchport access vlan 90
 switchport mode access
 no snmp trap link-status
!
interface GigabitEthernet5/24
 description WIRELESS CONTROLLER
 switchport access vlan 700
 no snmp trap link-status
!
interface GigabitEthernet6/1
 description LINK to YESSER-Core1
 switchport access vlan 99
 load-interval 30
!
interface GigabitEthernet6/2
 description TRUNK FROM wireless Controller
 switchport trunk encapsulation dot1q
 switchport mode trunk
 load-interval 30
!
interface GigabitEthernet6/3
 description PKI Core1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 logging event link-status
 load-interval 30
!
interface GigabitEthernet6/4
!
interface GigabitEthernet6/5
!
interface GigabitEthernet6/6
!
interface Vlan1
 ip address 10.20.100.252 255.255.255.0
 ip access-group 1 out
 no ip redirects
 ip directed-broadcast
 standby 1 ip 10.20.100.254
 standby 1 priority 102
 standby 1 preempt
!
interface Vlan5
 ip address 10.20.5.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 5 ip 10.20.5.254
 standby 5 priority 105
 standby 5 preempt
!
interface Vlan6
 ip address 10.20.6.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 6 ip 10.20.6.254
 standby 6 priority 110
 standby 6 preempt
!
interface Vlan7
 ip address 10.20.7.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN5TO7
 standby 7 ip 10.20.7.254
 standby 7 priority 120
 standby 7 preempt
!
interface Vlan8
 ip address 10.20.8.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN6TO8
 standby 8 ip 10.20.8.254
 standby 8 priority 120
 standby 8 preempt
!
interface Vlan10
 ip address 10.20.10.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 10 ip 10.20.10.254
 standby 10 priority 105
 standby 10 preempt
!
interface Vlan11
 ip address 10.20.11.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN10TO11
 standby 11 ip 10.20.11.254
 standby 11 priority 120
 standby 11 preempt
!
interface Vlan15
 ip address 10.20.15.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 15 ip 10.20.15.254
 standby 15 priority 110
 standby 15 preempt
!
interface Vlan16
 ip address 10.20.16.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN15TO16
 standby 16 ip 10.20.16.254
 standby 16 priority 120
 standby 16 preempt
!
interface Vlan20
 ip address 10.20.20.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 20 ip 10.20.20.254
 standby 20 priority 105
 standby 20 preempt
!
interface Vlan21
 ip address 10.20.21.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN20TO21
 standby 21 ip 10.20.21.254
 standby 21 priority 120
 standby 21 preempt
!
interface Vlan25
 ip address 10.20.25.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 25 ip 10.20.25.254
 standby 25 priority 110
 standby 25 preempt
!
interface Vlan26
 ip address 10.20.26.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN25TO26
 standby 26 ip 10.20.26.254
 standby 26 priority 120
 standby 26 preempt
!
interface Vlan30
 ip address 10.20.30.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 standby 30 ip 10.20.30.254
 standby 30 priority 105
 standby 30 preempt
!
interface Vlan31
 ip address 10.20.31.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN30TO31
 standby 31 ip 10.20.31.254
 standby 31 priority 120
 standby 31 preempt
!
interface Vlan35
 ip address 10.20.35.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 35 ip 10.20.35.254
 standby 35 priority 110
 standby 35 preempt
!
interface Vlan36
 ip address 10.20.36.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN35TO36
 standby 36 ip 10.20.36.254
 standby 36 priority 120
 standby 36 preempt
!
interface Vlan40
 ip address 10.20.40.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 40 ip 10.20.40.254
 standby 40 priority 105
 standby 40 preempt
!
interface Vlan41
 ip address 10.20.41.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN40TO41
 standby 41 ip 10.20.41.254
 standby 41 priority 120
 standby 41 preempt
!
interface Vlan45
 ip address 10.20.45.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 45 ip 10.20.45.254
 standby 45 priority 110
 standby 45 preempt
!
interface Vlan46
 ip address 10.20.46.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN45TO46
 standby 46 ip 10.20.46.254
 standby 46 priority 120
 standby 46 preempt
!
interface Vlan50
 ip address 10.20.50.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 50 ip 10.20.50.254
 standby 50 priority 105
 standby 50 preempt
!
interface Vlan51
 ip address 10.20.51.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN50TO51
 standby 51 ip 10.20.51.254
 standby 51 priority 120
 standby 51 preempt
!
interface Vlan55
 ip address 10.20.55.252 255.255.255.0
 ip access-group 1 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 55 ip 10.20.55.254
 standby 55 priority 110
 standby 55 preempt
!
interface Vlan56
 ip address 10.20.56.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 ip route-cache policy
 ip policy route-map RM-VLAN55TO56
 standby 56 ip 10.20.56.254
 standby 56 priority 120
 standby 56 preempt
!
interface Vlan60
 ip address 10.20.60.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 60 ip 10.20.60.254
 standby 60 priority 110
 standby 60 preempt
!
interface Vlan61
 ip address 10.20.61.252 255.255.255.0
 ip access-group ACLVLN61 out
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 61 ip 10.20.61.254
 standby 61 priority 110
 standby 61 preempt
!
interface Vlan65
 ip address 10.20.65.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 65 ip 10.20.65.254
 standby 65 priority 105
 standby 65 preempt
!
interface Vlan66
 ip address 10.20.66.252 255.255.255.0
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 66 ip 10.20.66.254
 standby 66 priority 105
 standby 66 preempt
!
interface Vlan90
 ip address 10.20.90.11 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 90 ip 10.20.90.5
 standby 90 priority 110
 standby 90 preempt
!
interface Vlan99
 ip address 10.20.91.101 255.255.255.0
 standby 99 ip 10.20.91.100
 standby 99 priority 110
 standby 99 preempt
!
interface Vlan100
 description PKI DataCenter
 ip address 10.20.70.251 255.255.255.0
 ip helper-address 10.32.209.230
 load-interval 30
 standby 100 ip 10.20.70.254
 standby 100 priority 150
 standby 100 preempt
!
interface Vlan200
 ip address 10.20.200.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 200 ip 10.20.200.254
 standby 200 priority 110
 standby 200 preempt
!
interface Vlan205
 ip address 10.20.205.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 205 ip 10.20.205.254
 standby 205 priority 110
 standby 205 preempt
!
interface Vlan206
 ip address 10.20.206.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 206 ip 10.20.206.254
 standby 206 priority 105
 standby 206 preempt
!
interface Vlan210
 ip address 10.20.210.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 210 ip 10.20.210.254
 standby 210 priority 110
 standby 210 preempt
!
interface Vlan215
 ip address 10.20.215.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 215 ip 10.20.215.254
 standby 215 priority 105
 standby 215 preempt
!
interface Vlan220
 ip address 10.20.220.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 220 ip 10.20.220.254
 standby 220 priority 110
 standby 220 preempt
!
interface Vlan225
 ip address 10.20.225.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 225 ip 10.20.225.254
 standby 225 priority 105
 standby 225 preempt
!
interface Vlan230
 ip address 10.20.230.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 230 ip 10.20.230.254
 standby 230 priority 110
 standby 230 preempt
!
interface Vlan235
 ip address 10.20.235.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 235 ip 10.20.235.254
 standby 235 priority 105
 standby 235 preempt
!
interface Vlan240
 ip address 10.20.240.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 240 ip 10.20.240.254
 standby 240 priority 110
 standby 240 preempt
!
interface Vlan245
 ip address 10.20.245.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 245 ip 10.20.245.254
 standby 245 priority 105
 standby 245 preempt
!
interface Vlan250
 ip address 10.20.250.252 255.255.255.0
 ip helper-address 10.20.200.1
 no ip redirects
 ip directed-broadcast
 standby 250 ip 10.20.250.254
 standby 250 priority 110
 standby 250 preempt
!
interface Vlan251
 ip address 10.20.251.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 251 ip 10.20.251.254
 standby 251 priority 105
 standby 251 preempt
!
interface Vlan300
 no ip address
!
interface Vlan700
 ip address 10.32.209.150 255.255.254.0
 ip helper-address 10.32.2.1
 no ip redirects
 ip directed-broadcast
 standby 70 ip 10.32.209.153
 standby 70 priority 110
 standby 70 preempt
!
interface Vlan701
 ip address 10.40.100.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 71 ip 10.40.100.254
 standby 71 priority 110
 standby 71 preempt
!
interface Vlan702
 ip address 10.50.100.252 255.255.255.0
 no ip redirects
 ip directed-broadcast
 standby 72 ip 10.50.100.254
 standby 72 priority 110
 standby 72 preempt
!
router rip
 network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 10.20.90.1
ip route 10.1.0.0 255.255.0.0 10.20.91.105
ip route 10.20.70.0 255.255.255.0 10.20.70.254
ip route 10.20.70.0 255.255.255.0 10.20.70.250
ip route 10.32.0.0 255.255.0.0 10.32.208.240
ip route 10.32.0.0 255.255.0.0 10.32.208.241
ip route 10.32.0.0 255.255.0.0 10.32.208.242
ip route 172.29.0.0 255.255.0.0 10.20.91.105
ip http server
!
!
!
ip access-list extended NAC-VLAN10TO11
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN15TO16
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN20TO21
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN25TO26
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN30TO31
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN35TO36
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN40TO41
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN45TO46
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN50TO51
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN55TO56
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN5TO7
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended NAC-VLAN6TO8
 deny   ip any host 10.32.209.231
 deny   ip any host 10.32.209.230
 permit ip any any
ip access-list extended VLN61
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232
 deny   ip any any
!
route-map RM-VLAN6TO8 permit 10
 match ip address NAC-VLAN6TO8
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN10TO11 permit 10
 match ip address NAC-VLAN10TO11
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN20TO21 permit 10
 match ip address NAC-VLAN20TO21
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN30TO31 permit 10
 match ip address NAC-VLAN30TO31
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN40TO41 permit 10
 match ip address NAC-VLAN40TO41
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN50TO51 permit 10
 match ip address NAC-VLAN50TO51
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN5TO7 permit 10
 match ip address NAC-VLAN5TO7
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN15TO16 permit 10
 match ip address NAC-VLAN15TO16
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN25TO26 permit 10
 match ip address NAC-VLAN25TO26
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN35TO36 permit 10
 match ip address NAC-VLAN35TO36
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN45TO46 permit 10
 match ip address NAC-VLAN45TO46
 set ip next-hop 10.50.100.1
!
route-map RM-VLAN55TO56 permit 10
 match ip address NAC-VLAN55TO56
 set ip next-hop 10.50.100.1
!
route-map CAS permit 10
 match ip address NAC-VLAN30TO31
 set ip next-hop 10.50.100.1
!
!
snmp-server community private RW
snmp-server community Mc!t@Snmp RO
snmp-server location MCIT/Main BLDG/Data Center/Communication Room
snmp-server host 10.32.209.200 version 2c Mc!t@Snmp
radius-server source-ports 1645-1646
banner login ^C
 
       
!
line con 0
 stopbits 1
line vty 0 4
 session-timeout 4000
 exec-timeout 28800 0
 password 7 0029100F307B0822
!
!
end

SCC00DC451001#          

Commented:
interface Vlan61
 ip address 10.20.61.252 255.255.255.0
 ip access-group ACLVLN61 out  ---> ACLVLN61 it should be VLN61, as you defined)
 ip helper-address 10.32.209.230
 no ip redirects
 ip directed-broadcast
 standby 61 ip 10.20.61.254
 standby 61 priority 110
 standby 61 preempt

While you defined VLN61, see belom

ip access-list extended VLN61
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232
 deny   ip any any

remove the deny ip any any
and try to put the direction IN

Author

Commented:
hi,

its not working, they can still telnet and remote desktop to other than the ips in the access list.

Commented:
you seem using HSRP on the core switch, is it also already configured on the other core switch too?

Author

Commented:
yes its already configured on both switches

Author

Commented:
when i do show access-list i see the counter increasing for the deny only and its applied on the OUT direction

Extended IP access list VLN61
    10 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.230
    20 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.231
    30 permit ip 10.20.61.0 0.0.0.255 host 10.32.209.232
    40 deny ip any any (18495 matches)

Commented:
that's because of that you put deny any any, when you apply permit to access list, the rest are implicit deny, you don't have to put deny, except if you put deny on a statement, you must put ip permit any any to the access list. For what I have simulated, the access list works on the servers that are simulated. I also wonder why the config is not working on your router :)

Author

Commented:
i removed deny any any, evrything is permited, i tried to make the access list in both directions IN and OUT its the same its not working

Commented:
try this way....remove the access list on both core switches, and create a new one with the same permit statement and apply it on the VLAN interface on both switches

Author

Commented:
Hi,

sorry for being late to reply but its not working

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial