asked on

Access List

Hi,

Scenario -- Cisco 3550

1) Guest Network --- 10.2.3.0 /24
2) LAN Users --- 10.41.0.0/16

I want that users with IP address (10.2.3.0/24) should not be able to access 10.41.0.0/16 network. But at the same time i want 10.41.0.0/16 to have access to this 10.2.3.0 network.

Is it possible in Cisco 3550 to achieve this.

Thanks
Mahesh

Sean

is the cisco your router as well? These settings will be set on whatever is doing your routing. If it is then yes it is possible but your computer would need a static IP address and be set to allow in the ACL and all other IP addresses set to deny.

Sean

If it is the router...

interface Vlan10 (guessing here)
ip access-group VLAN10-IPv4-In in

ip access-list extended VLAN101-IPv4-In
10 permit ip any 10.41.0.10/32 (your PC)
20 deny ip any 10.41.0.0/16

Predrag Jovic

The only way that you should be even able to configure it is by using reflexive access lists (as far as I know).
But, I am not sure if reflexive ACLs are supported on your Catalyst 3550.

ASKER CERTIFIED SOLUTION

Andy Bartkiewicz

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Predrag Jovic

interface Vlan10 (guessing here)
 ip access-group VLAN10-IPv4-In in

ip access-list extended VLAN101-IPv4-In
 10 permit ip any 10.41.0.10/32 (your PC)
 20 deny   ip any 10.41.0.0/16

Open in new window

This one is not preventing users from network 10.2.3.0/24 to access 10.41.0.0/16 network (request from Author).
It will permit access to specific IP address 10.41.0.10 from 10.2.3.0/24 network and it will block access to other IP addresses in IP range from any source address (which was not request).
Andy's approach still allows crafted attacks on 10.41.0.0/16, but it is generally meet the requirements.

Predrag Jovic

Solution can meet the requirements.