Apply ACL on vlan
Amended the post
Hello
can someone guide how to apply access-list to a vlan
office_A connect to Office_B on different floors on vlan 10
need to allow inbond and outbond traffic
Config of Office_A and host
VLAN
int vlan 10
ip address 192.168.177.254 255.255.255.252
Allow the following host to communicate with host of Office_B
host 192.168.110 port 443
host 192.168.1.16
network 192.168.25.0/24
Network of Office_B
allow following host to communicate with hos of Office_A
192.168.100.10 port 443
1192.168.100.17
192.168.27.0/24
plz guide with right inbond / outbond acl to apply on SVI
thanks
Vishal
Just to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
Best Regards,
Islam M. Nadim
Similar Messages
-
Good afternoon,
We have several VLANs and would like to restrict traffic on some of them.
For one VLAN, lets say vlan 140 we would it to drop all packets except for traffic going to / from 172.30.0.49. Is this possible? If so how? Also, would users be able to obtain DHCP / DNS queries if this rule was in place?
Just like to get an understanding on how this can be done on our core using either ACL or vlan mappings.
Regards,
MarkYes, the main advantages are performance and usability.
With ACLs each document can have different security settings.
As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete. -
Best Practice for where to apply ACL's on a router
I have a 1760 router with a 4 port ethernet card. It has the Vlan1 int on it for f0/0 in the IOS. I need to apply an ACL to that interface/subnet with the phyical cable in f0/0 and ip range of vlan1. When appling the ACL should I apply it to the physical interface or the Vlan (mgt) interface. What is the best practice and is there any docs on this on cisco?
Thanks
ChrisChris
The f0/0 is operating as a switch port and as such you can not apply the access list directly to the physical interface. You should apply the access list to the vlan interface.
HTH
Rick -
I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .
This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
Hope this helps, -
Cannot apply ACL to RAID through WGM
I have a MDD server with a system disk running OS X Server 10.4.4 and two disks in mirror RAID configuration. When I try to apply usrers/groups to the ACL the changes are not accepted. I can drag users/groups to the ACL on the main system disk, but not to the RAID (not even the little black line shows up).
Can ACL only be applied to the system disk? If not, any clues as to what I might be doing wrong?
[Background: The machine orginally ran Server 10.3.8 with the same hardware configuration. The OS is a completely new install (erase and install). I thought this might have had something to do with it, so I broke the RAID and recreated it, to no avail.]Worked it out myself. Thanks!
-
I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..
interface GigabitEthernet0/1
nameif internet-outside
security-level 0
ip address X.X.X.X 255.255.255.0 standby X.X.X.X!
interface GigabitEthernet0/2
nameif internet-dmz
security-level 10
ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X
interface TenGigabitEthernet0/8.129
nameif core-inside
security-level 100
ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X
interface TenGigabitEthernet0/9.130
nameif VLAN130
security-level 50
ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X
interface TenGigabitEthernet0/9.134
nameif VLAN134
security-level 50
ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X
interface TenGigabitEthernet0/9.136
nameif VLAN136
security-level 50
ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X
interface TenGigabitEthernet0/9.140
nameif VLAN140
security-level 50
ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X
ACL
access-list wwy-legacy remark Citrix Communications
access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix
access-list wwy-legacy remark Check Point Firewall MGMT
access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp
access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp
access-list wwy-legacy remark QUALYS Scanner Access
access-list wwy-legacy extended permit ip object-group qualys-scanners any
access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080
access-list wwy-legacy remark ISX-Solorwinds
access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp
access-list wwy-legacy extended permit icmp host 10.121.137.92 any
access-list wwy-legacy extended permit icmp any host 10.121.137.92
access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp
access-list wwy-legacy remark citrix access to QA Leo systems
access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www
access-list wwy-legacy remark EDI-Outbound
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh
access-list wwy-legacy remark Security
access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy remark EDI
access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp
access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224
access-list outside-acl-01 extended deny ip any any
access-group outside-acl-01 in interface internet-outsideHi,
Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.
It still uses the "access-group" command to "attach" the access-list as a global access-list
command format is:
access-group global
Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.
- Jouni -
i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?
Hi,
You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
regards,
-amit singh -
Applying ACL's when copying files using SBM protocol
I' need to change the default behaviour of CMSDK when I'm copiying a file with Windows Explorer using SBM protocol in this way :
When I'm copiying a file from some branchs of my tree of directories I want that ACL to apply is the ACL of the original file and not the ACL of the user who is doing the copy. For instance:
Original file --> 'FILEA' with ACL 'AclA'
User --> 'Pepe' default ACL 'Acluser'
Copied file --> 'FILEB'
CMSDK will copy the 'FILEA' to 'FILEB' with ACL 'Acluser', but I need that ACL of 'FILEB' is 'AclA' and not 'Acluser' ( from the original file FILEA).
How could I get this ?.
Thanks.This is no possible with SMB protocol. Ask for bug 1672091 to Oracle Support.
-
Applying ACL to a folder (Java API)
Hi there,
I am wondering how to apply an ACL to a folder in order that this ACL gets automatically assigned to any LibraryObject (Folder or document) dropped in that folder.
Any help appreciated,
StefanoNot currently possible. There will be some new features in the
next release that should make this easier.
Regards,
Jerry -
Route map does not applied on interface vlan
Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
JamesHi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 60 -
Hi,
if I have a folder hierachy /xxx/yyy/zzz/*.xml. then I create myacl.xml, put it to /sys/acls/myacl.xml.
call DBMS_XDB.setACL('/xxx', '/sys/acls/myacl.xml');
will myacl will apply to all the subfolders and files along the hierachy? It seems not, so how can I apply one acl file to all my resources under /xxx easily?
thanks a lot,
HailiWe're considering a recursive version of setACL for a future release... In the meantime you'll need your own PL/SQL block to do this..
SQL>
SQL> set serveroutput on
SQL> --
SQL> declare
2 cursor getDocuments is
3 select any_path
4 from resource_view
5 where under_path(res,'/home/SCOTT') = 1;
6 begin
7 for doc in getDocuments loop
8 dbms_xdb.setAcl(doc.any_path, '/sys/acls/all_owner_acl.xml');
9 end loop;
10 commit;
11 end;
12 /
PL/SQL procedure successfully completed.
SQL>Message was edited by:
mdrake -
Applying ACL (setAcl) to Versioned Document in java - Exception thrown
Hello.,
I am creating a new versioned document object and trying to apply an acl using doc.setAcl();
However I receive an exception on the step where I am trying to set the ACL (below are the exceptions with IfsException.setVerboseMessage(true) )
oracle.ifs.common.IfsException: IFS-30043: Insufficient access to change PublicObjects Owner
oracle.ifs.common.IfsException: IFS-10204: Cannot update security settings for a PublicObject that has a SecuringPublicObject reference
Exact same code works when it is not a versioned document.
What do I need to do extra, to take care of versioned documents.
Thanks,Hi,
I too try to upload a documet throug web service proxies in java.
Step followed are
1. login using login service
2. upload document using documentContentService
3. createDocument using DocumentService
The last step to createDocument in DocumentServicealwyas returns No valid session exists, though i try to do service calls in stateful session.
Kindly help, if you have any solution for this.
Regards,
Bala -
Applying ACLs to Composite Application Views
Is it possible to do the following?
- We have a Composite Application with multiple views (Research, Reports, Admin)
- We'd like for the Admin View to only be displayed for a specific CRX group
- Can I set an ACL on the View node under the Application to accomplish this?Yes, this is possible by setting up ACLs on the nodes in CRX. The upcoming service pack will have a sample of how to do this - look for the mosaic-accesscontrol-pkg very soon in an updated samples package on packageshare.
-
HI Experts,
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs.
Here is my requirement:
i want stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions.
If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement)
So, solution needed to communicate from VLAN 20 to VLAN 30.
Regards,
JanardhanHello,
What if you do a reflexive ACL on the .20 vlan.
ip access-list extended test
permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 reflect test-123
ip access-list extended inbound-packets
evaluate test-123
interface fastethernet 0/1.20
ip access-group test out
ip access-group inbound-packets in
Please let me know the result of this.
Regards,
Julio -
ACL applied to Vlan interfaces
I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
Is there some method to quickly know when these ACL should be applied in one direction or another?
Thanks for your time.It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.
Maybe you are looking for
-
Need help in highlighting the query text in document
Hi, I am trying to load the files in the blob column and trying to create the text index on it. i need to query the blob column in the document table with a string, which needs to return the relevant documents with the query string highlighted with s
-
Hi guys. I have a problem. I have laptop T60 with original battery. The last night everythins was OK - the condition in Power manager was GOOD, charging cycle - 145. But today I cannot ude my battery - the battery indicator just blinking and when I t
-
Profit Center Reporting in a different currency
Hello, We have a follwoing requirement. Can you please have a look and suggest how this can be met. We have a number of company codes which have their own company code currencies viz. GBP, EUR, INR, JPY and USD. Our controlling area currency is USD.
-
Dear Gurus, My question is once a delivery is created and saved, due to some reasons I need to block it from furthur processing, that is, no one should be able to do PGI. I dont want to delet it since I need to keep a track of these kinds of document
-
Hi all, I have a web application which is used to upload file to the server. I used Java web services developer pack (Tomcat). The tomcat is running from a Windows 2000 small business server and other users just share a drive of that server and they