I'm designing a network with the following scheme:
I have 5 vlans, 3 on S1 and 2 on S3. I'm currently concerned with making access list. Each vlan has a web server that is configured to listen on both port 8080 and 80.
I want to use access lists on the router R3(for example) to permit http requests to the host(192.168.0.2) on port 80, but to deny them on port 8080.
I have entered the following commands on router R3:
But this denies access on both ports, that is I can't open the web page from network 192.168.1.0/24, address 192.168.1.2.
On router R3 I have configured subinterfaces g0/1.10, 20, 30(for VLANs 10, 20, 30 respectively) with the following commands:
ip access-group 100 in
ip access-group 100 out
What should I do?
Best Answer
You should craft an ACL for one direction. Don't put the same ACL on every interface in both directions.
The general ACL rules:
Your extended ACL 100 should only be on the router's interface for the VLAN with
192.168.1.0
(per your comment, VLAN 20) as an inbound ACL:This will immediately drop any TCP traffic coming into the router from
192.168.1.0/24
destined to192.168.0.2:8080
, preventing the router from having to route that traffic. It will allow ICMP echos and other TCP traffic to192.168.0.2
, but it will deny all other traffic (ACLs have an implicitdeny any any
as the last statement. You should probably change the ACL so that it will permit all other traffic, unless you really only want to allow hosts on that VLAN to ping and use all other TCP only with192.168.0.2
. The hosts on that VLAN will not be able to get to any other VLAN, except with ping.