Cisco ACL

Ian Taylor
Ian Taylor used Ask the Experts™
on
Hello,

I need to implement an ACL to a VLAN and permit only two IP Address (VM's) to be able to access this vlan, how easy is this todo?

Switches are 3750X
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
if its from a different VLAN coming to your VLAN interface the direction should be out

ip access-list extended ACCESS-LIST-NAME-OUT
 permit ip host x.x.x.x b.b.b.b c.c.c.c
 permit ip host y.y.y.y b.b.b.b c.c.c.c
!
interface Vlan10
 ip access-group ACCESS-LIST-NAME-OUT out

if you need to block traffic coming from inside the VLAN you just need to change the access group direction to in

ip access-list extended ACCESS-LIST-NAME-IN
 permit ip b.b.b.b c.c.c.c host x.x.x.x
 permit ip b.b.b.b c.c.c.c host y.y.y.y

interface Vlan10
 ip access-group ACCESS-LIST-NAME-IN in


x.x.x.x and y.y.y.y being your 2 IP
b.b.b.b c.c.c.c being your subnet and subnet mask
Ian TaylorIT Infrastructure Architect .:|:.:|:.

Author

Commented:
Thanks, so we are going to have to VM's in the same VLAN, would it be the IN or OUT CLI I use?
Ian TaylorIT Infrastructure Architect .:|:.:|:.

Author

Commented:
Hi - This is my Access-List I want to apply to the VLAN 7:

ip access-list extended svrmgmt
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ip any 10.51.5.0 0.0.0.255
 permit ip any 10.51.10.0 0.0.0.255
 permit ip any 10.53.5.0 0.0.0.255
 permit ip any 10.53.10.0 0.0.0.255
 permit ip any host 10.51.10.115
 permit ip any host 10.51.10.116
 deny   ip any 10.51.0.0 0.0.255.255
 deny   ip any 10.53.0.0 0.0.255.255
 permit ip any any

The only devices (or hosts) we want access to VLAN7 are from VLAN10:

 permit ip any host 10.51.10.115
 permit ip any host 10.51.10.116

Does the ACL look correct?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Ian TaylorIT Infrastructure Architect .:|:.:|:.

Author

Commented:
Sorry, correction:

ip access-list extended svr-hvmgmt
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ip any host 10.51.10.115
 permit ip any host 10.51.10.116
 deny   ip any 10.51.0.0 0.0.255.255
 deny   ip any 10.53.0.0 0.0.255.255
 permit ip any any
Distinguished Expert 2018
Commented:
I need to implement an ACL to a VLAN and permit only two IP Address (VM's) to be able to access this vlan, how easy is this todo?
ip access-list extended svr-hvmgmt
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ip any host 10.51.10.115
 permit ip any host 10.51.10.116
 deny   ip any 10.51.0.0 0.0.255.255
 deny   ip any 10.53.0.0 0.0.255.255
 permit ip any any
This can be right, and could be wrong, depending on direction access list is applied to interface (business as usual).
:)
But, I guess, generally it is the wrong direction. This would need to be applied to filter traffic exiting from VLAN to those hosts (IN direction), but I guess I would rather filter traffic in other direction - as it is entering VLAN. The reason is that all traffic from other VLANs can still reach those devices and then traffic would be dropped when those hosts are sending traffic back if destination host for return traffic is not one of specified hosts.  
I guess better approach is to allow access for specific hosts to access host in VLAN and simply deny the rest while traffic is entering vlan. The way I would typically do it, is permit those hosts (and any infrastructure traffic that is needed), deny any other traffic that have source in private address space, permit public ip address space (if needed) in access-list. That way, if new vlans are created their ip address spaces are already denied from access so I don't have to worry about it.

ip access-list extended svr-hvmgmt
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ip host 10.51.10.115 any
 permit ip host 10.51.10.116 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 169.254.0.0 0.0.255.255 any
 permit ip any any

interface vlan X
 ip access-group svr-hvmgmt out
Ian TaylorIT Infrastructure Architect .:|:.:|:.

Author

Commented:
this really helped, thank u

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial