Improve company productivity with a Business Account.Sign Up

x
?
Solved

Cisco ACL Help

Posted on 2011-02-15
4
Medium Priority
?
353 Views
Last Modified: 2012-05-11
I need a sanity check. I want to configure so that the server is only accessible from two other VLANs. For example, the server IP address is 10.4.0.26; the other VLAN requiring access is 10.4.12.0/24 and 10.4.17.0/24.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any

Would I apply this ACL on the interface that 10.4.0.26 is attached?
0
Comment
Question by:pitchford
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
mikegatti earned 2000 total points
ID: 34898442
you could use this acl in the outbound direction of the vlan interface. this would also block all other traffic destined to this vlan. i would add a log at the end of the last deny so that you can see if anything else is being denied.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any log

interface vlan XXX
 ip address 10.4.0.x 255.255.255.0
 ip access-group SECURE out
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34898956
extended ACLs are best to configure closer to the destination of where the packets are trying to get to as opposed to standard ACLs need to be closer to the source being they tend to drop alot of packets. so closer to the server would be best.
0
 
LVL 3

Author Comment

by:pitchford
ID: 34930682
Mike, the acl you provided would deny all other traffic to that vlan. I'm still not satisfied with the setup... I will post my final config...
0
 
LVL 3

Author Closing Comment

by:pitchford
ID: 34930814
Not exactly what I'm looking for, but very close.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question