ACL on Vlan interface

[crocodanser]

Hi all,

I have a question about ACL on vlan interface.

My vlan : 161
My network : 192.168.161.0/24
My DNS and Proxy Server : 192.168.161.250

I want to activate an ACL on vlan interface 161.

The server can use http protocol to any and Domain protocol to 192.168.0.1
the network 192.168.161.0/24 can't go out.
all other network have all access to this network

This is my access-list :

access-list 101 permit tcp host 192.168.161.250 any eq www
access-list 101 permit tcp host 192.168.161.250 host 192.168.0.1 eq domain
access-list 101 permit udp host 192.168.161.250 host 192.168.0.1 eq domain
access-list 101 deny ip 192.168.161.0 0.0.0.255 any
access-list 101 permit ip any any

i'm in another network. When i apply this acl on vlan interface 161, i can't access on the server 192.168.161.250.

have you got an idea?

Best regards,
Olivier

 

[North323]

what is the other network? is that 'other' network a vlan on the switch in question? is this a layer 2 or 3 switch?

 

[crocodanser]

it's all others networks

switch is layer 3

Thx for your help

 

[North323]

need more info. is the 'other' network on the same switch? a different switch?
can you post a config?

 

[crocodanser]

Hi,

On my switch layer 3, there are many vlans :

VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/25
Gi0/26, Gi0/27, Gi0/28
60 Vlan60 active
63 Vlan63 active
65 Vlan65 active
66 Vlan66 active
67 Vlan67 active
68 Vlan68 active
161 Vlan161 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup


This is my interface config :

interface GigabitEthernet0/21
description Network 69
no switchport
ip address 192.168.69.240 255.255.255.0
!
interface GigabitEthernet0/22
description Network 64
no switchport
ip address 192.168.64.240 255.255.255.0
!
interface GigabitEthernet0/23
description Network 62
no switchport
ip address 192.168.62.240 255.255.255.0
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 60,63,65-68,161
switchport mode trunk
duplex full
no mdix auto
!

interface Vlan60
ip address 192.168.60.241 255.255.255.0
!
interface Vlan63
ip address 192.168.63.240 255.255.255.0
!
interface Vlan65
ip address 192.168.65.240 255.255.255.0
!
interface Vlan66
ip address 192.168.66.240 255.255.255.0
!
interface Vlan67
ip address 192.168.67.240 255.255.255.0
!
interface Vlan68
ip address 192.168.68.240 255.255.255.0
!
interface Vlan161
ip address 192.168.161.240 255.255.255.0
!

thx for your help

 

[North323]

and the 'other' network also resides on this switch? what is the other network you are trying this from?

where is the rest of the config?

 

[vipergg]

Thats because you have a deny statement blocking anything going to any other network besides your first 3 statements . This will block anything other than what you allowed in your first 3 statements.

access-list 101 deny ip 192.168.161.0 0.0.0.255 any

 

[crocodanser]

All other port of this switch are disconnected.

router eigrp 100
redistribute static metric 10000 100 255 1 1500 route-map STATIC
network 192.168.60.0
network 192.168.62.0
network 192.168.63.0
network 192.168.64.0
network 192.168.65.0
network 192.168.66.0
network 192.168.67.0
network 192.168.68.0
network 192.168.69.0
network 192.168.160.0
network 192.168.161.0
no auto-summary
no eigrp log-neighbor-changes
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.60.242
ip http server
!
!

the other network is for exemple 192.168.64.0/24

the gateway of this network is this switch layer 3.

There are a lot of access switch for this network and the network 161 but the gateway of all network is this switch layer 3.

thx for your help.

 

[crocodanser]

yes but how can i do to deny all trafic from 192.168.161.0/24 to all network?

thx for your help

 

[vipergg]

Could be a simple as this. Outbound towards client is wide open but traffic coming back in is restricted to the one address and thus dropped if not going to the 192.168.161.250.



outbound on vlan
ip access-group 102 out

acess-list 102 permit ip any host 192.168.161.250

 

[vipergg]

It a little unclear what you need . Is the server only going to 192.168.0.1 or are all the other networks supposed to be able to get to the server also but not anything else on the 161 net?

 

[crocodanser]

i need :

- 192.168.161.0/24 can't reach 192.168.61.0/24, 192.168.64.0/24 ...
- 192.168.161.250 can access All the websites public on tcp port 80 (permit any)
- 192.168.161.250 can access 192.168.0.1 on domain port (tcp and udp)
- 192.168.61.0/24, 192.168.64.0/24, ... All the networks can reach 192.168.61.0/24

192.168.161.250 is a proxy server. users of 192.168.161.0/24 can reach only the proxy server and 192.168.161.0/24

All the world can reach 192.168.161.0/24

thx for your help!!

 

[crocodanser]

Here is the network's schema :

http://crocodanser.free.fr/Reseau-access-list.JPG

Here is the acces-list i want :

http://crocodanser.free.fr/access-list.JPG

Could you help me please?

Thx