Solved

Cisco ACL Help

Posted on 2011-02-15
4
333 Views
Last Modified: 2012-05-11
I need a sanity check. I want to configure so that the server is only accessible from two other VLANs. For example, the server IP address is 10.4.0.26; the other VLAN requiring access is 10.4.12.0/24 and 10.4.17.0/24.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any

Would I apply this ACL on the interface that 10.4.0.26 is attached?
0
Comment
Question by:pitchford
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34898442
you could use this acl in the outbound direction of the vlan interface. this would also block all other traffic destined to this vlan. i would add a log at the end of the last deny so that you can see if anything else is being denied.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any log

interface vlan XXX
 ip address 10.4.0.x 255.255.255.0
 ip access-group SECURE out
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34898956
extended ACLs are best to configure closer to the destination of where the packets are trying to get to as opposed to standard ACLs need to be closer to the source being they tend to drop alot of packets. so closer to the server would be best.
0
 
LVL 3

Author Comment

by:pitchford
ID: 34930682
Mike, the acl you provided would deny all other traffic to that vlan. I'm still not satisfied with the setup... I will post my final config...
0
 
LVL 3

Author Closing Comment

by:pitchford
ID: 34930814
Not exactly what I'm looking for, but very close.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question