Cisco 4500 Access Control List  in VLANs

ITMaster1979
ITMaster1979 used Ask the Experts™
on
Dear All,

  I have cisco 4500 cisco with 6 VLANs configured as below

Vlan 2 192.168.2.x, Vlan 3 192.168.3.x, Vlan 4 192.168.4.x , Vlan 5 192.168.5.x. etc

I want my Vlans  to only reach my servers (192.168.1.5 ,192.168.1.6,192.168.1.7, 192.168.1.8) and not to reach any other vlans and other servers (192.168.1.x).

kindly need your support to create the access lists

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
please be more specific, like this

source network - destination network - protocol - port number
I believe this will work. put this in your outgoing interfaces. Just duplicate this for the other vlan's

access-list 100 permit ip 192.168.2.0 0.255.255.255 host 192.168.1.5
access-list 100 permit ip 192.168.2.0 0.255.255.255 host 192.168.1.6
access-list 100 permit ip 192.168.2.0 0.255.255.255 host 192.168.1.7
access-list 100 permit ip 192.168.2.0 0.255.255.255 host 192.168.1.8
access-list 100 deny any any

To apply your access list you go to the interface and use the ip access-group command and specify the direction you want the filtering to take place:

ip access-group 100 out
Remember the access-list and access-group commands must use the same number for it to work.  

opps, I messed up on my numbers!!! I'll respost once I straighten them out

I just built a small test network in packet tracer and tried this and it seemed to work. You have to put the (ip access-group 100 out) on the router interface facing the network. Not sure your exact setup so you may have to play with which interface to put it on.

access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.6
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.7
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.8
access-list 100 deny ip any any

Author

Commented:
Hi kenmcse1969
What about the internet traffic . How it will pass the traffic
Please explain! You lost me.

Author

Commented:
I mean my users in 192.168.2.x subnet will need interney access, I think  I have to add my firewalls host and ISA in the allow access list, right?

Author

Commented:
I have applied it but intenet is not working ??
Add this to your ACL. This is where ACL's become increasingly more challenging. Trying to weed out what you need and what you don't need and what will give you the correct access.

access-list 100 permit tcp 192.168.2.0 0.0.0.255 any established

Author

Commented:
Hi Still no luck, internet is not working, pls advise
hmm, above you were supposed to add this line to your interface.

ip access-group 100 out

possibly also add the line:

ip access-group 100 in

Author

Commented:
I already added them but still the same
Ok, if you take the ACL out completely does internet traffic flow fine?

Author

Commented:
Yes, it works if I remove it
Ok, lets try it this way.

R1#config t
R1(config)#access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 80
R1(config)#access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 443
R1(config)#access-list 102 permit tcp 192.168.2.0 0.0.0.255 any eq established

R1#(config)#interface s0/0/0 (whatever your interface is)
R1#(config)#ip access-group 101 out
R1#(config)#ip access-group 102 in
R1#(config)#end

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial