Solved

Cisco ACL Help

Posted on 2011-02-15
4
331 Views
Last Modified: 2012-05-11
I need a sanity check. I want to configure so that the server is only accessible from two other VLANs. For example, the server IP address is 10.4.0.26; the other VLAN requiring access is 10.4.12.0/24 and 10.4.17.0/24.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any

Would I apply this ACL on the interface that 10.4.0.26 is attached?
0
Comment
Question by:pitchford
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34898442
you could use this acl in the outbound direction of the vlan interface. this would also block all other traffic destined to this vlan. i would add a log at the end of the last deny so that you can see if anything else is being denied.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any log

interface vlan XXX
 ip address 10.4.0.x 255.255.255.0
 ip access-group SECURE out
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34898956
extended ACLs are best to configure closer to the destination of where the packets are trying to get to as opposed to standard ACLs need to be closer to the source being they tend to drop alot of packets. so closer to the server would be best.
0
 
LVL 3

Author Comment

by:pitchford
ID: 34930682
Mike, the acl you provided would deny all other traffic to that vlan. I'm still not satisfied with the setup... I will post my final config...
0
 
LVL 3

Author Closing Comment

by:pitchford
ID: 34930814
Not exactly what I'm looking for, but very close.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 47
How to setup a Voice VLAN on a Cisco Meraki MS220-24 3 89
Is this network design suitable? 3 67
P2P and MPLS 3 47
Auditors face some challenges when reviewing router and firewall configurations.  I'm going to discuss a few of them in this article.  My assumption is that there is a device hardening standard in place, which points out the key elements of configur…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now