Solved

Cisco ACL Help

Posted on 2011-02-15
4
338 Views
Last Modified: 2012-05-11
I need a sanity check. I want to configure so that the server is only accessible from two other VLANs. For example, the server IP address is 10.4.0.26; the other VLAN requiring access is 10.4.12.0/24 and 10.4.17.0/24.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any

Would I apply this ACL on the interface that 10.4.0.26 is attached?
0
Comment
Question by:pitchford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34898442
you could use this acl in the outbound direction of the vlan interface. this would also block all other traffic destined to this vlan. i would add a log at the end of the last deny so that you can see if anything else is being denied.

ip access-list extended SECURE
permit icmp any any
permit ip 10.4.12.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.17.0 0.0.0.255 host 10.4.0.26
permit ip 10.4.0.0 0.0.0.255 host 10.4.0.26
deny ip any any log

interface vlan XXX
 ip address 10.4.0.x 255.255.255.0
 ip access-group SECURE out
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34898956
extended ACLs are best to configure closer to the destination of where the packets are trying to get to as opposed to standard ACLs need to be closer to the source being they tend to drop alot of packets. so closer to the server would be best.
0
 
LVL 3

Author Comment

by:pitchford
ID: 34930682
Mike, the acl you provided would deny all other traffic to that vlan. I'm still not satisfied with the setup... I will post my final config...
0
 
LVL 3

Author Closing Comment

by:pitchford
ID: 34930814
Not exactly what I'm looking for, but very close.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question