Apply ACL on vlan

       Amended the post     
Hello
can someone guide how to  apply access-list to a vlan
office_A connect to Office_B on different floors on vlan 10
need to allow inbond and outbond traffic
Config of Office_A and host
VLAN
int vlan 10
ip address 192.168.177.254 255.255.255.252
Allow the following host to communicate with host of Office_B
host 192.168.110 port 443
host 192.168.1.16
network 192.168.25.0/24
Network of Office_B
allow following host to communicate with hos of Office_A
192.168.100.10  port 443
1192.168.100.17
192.168.27.0/24
plz guide with right inbond / outbond acl to apply on SVI
thanks
Vishal

Just to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
Best Regards,
Islam M. Nadim

Similar Messages

  • ACL or VLAN Mappings

    Good afternoon,
    We have several VLANs and would like to restrict traffic on some of them.
    For one VLAN, lets say vlan 140 we would it to drop all packets except for traffic going to / from 172.30.0.49. Is this possible? If so how? Also, would users be able to obtain DHCP / DNS queries if this rule was in place?
    Just like to get an understanding on how this can be done on our core using either ACL or vlan mappings.
    Regards,
    Mark

    Yes, the main advantages are performance and usability.
    With ACLs each document can have different security settings.
    As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
    As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
    Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
    In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
    I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete.

  • Best Practice for where to apply ACL's on a router

    I have a 1760 router with a 4 port ethernet card. It has the Vlan1 int on it for f0/0 in the IOS. I need to apply an ACL to that interface/subnet with the phyical cable in f0/0 and ip range of vlan1. When appling the ACL should I apply it to the physical interface or the Vlan (mgt) interface. What is the best practice and is there any docs on this on cisco?
    Thanks
    Chris

    Chris
    The f0/0 is operating as a switch port and as such you can not apply the access list directly to the physical interface. You should apply the access list to the vlan interface.
    HTH
    Rick

  • ACL on Vlan interface

    I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .

    This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
    On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
    Hope this helps,

  • Cannot apply ACL to RAID through WGM

    I have a MDD server with a system disk running OS X Server 10.4.4 and two disks in mirror RAID configuration. When I try to apply usrers/groups to the ACL the changes are not accepted. I can drag users/groups to the ACL on the main system disk, but not to the RAID (not even the little black line shows up).
    Can ACL only be applied to the system disk? If not, any clues as to what I might be doing wrong?
    [Background: The machine orginally ran Server 10.3.8 with the same hardware configuration. The OS is a completely new install (erase and install). I thought this might have had something to do with it, so I broke the RAID and recreated it, to no avail.]

    Worked it out myself. Thanks!

  • Applying ACL globally

    I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..
    interface GigabitEthernet0/1
    nameif internet-outside
    security-level 0
    ip address X.X.X.X 255.255.255.0 standby X.X.X.X!
    interface GigabitEthernet0/2
    nameif internet-dmz
    security-level 10
    ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X
    interface TenGigabitEthernet0/8.129
    nameif core-inside
    security-level 100
    ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X
    interface TenGigabitEthernet0/9.130
    nameif VLAN130
    security-level 50
    ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X
    interface TenGigabitEthernet0/9.134
    nameif VLAN134
    security-level 50
    ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X
    interface TenGigabitEthernet0/9.136
    nameif VLAN136
    security-level 50
    ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X
    interface TenGigabitEthernet0/9.140
    nameif VLAN140
    security-level 50
    ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X
    ACL
    access-list wwy-legacy remark Citrix Communications
    access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix
    access-list wwy-legacy remark Check Point Firewall MGMT
    access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp
    access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp
    access-list wwy-legacy remark QUALYS Scanner Access
    access-list wwy-legacy extended permit ip object-group qualys-scanners any
    access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080
    access-list wwy-legacy remark ISX-Solorwinds
    access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp
    access-list wwy-legacy extended permit icmp host 10.121.137.92 any
    access-list wwy-legacy extended permit icmp any host 10.121.137.92
    access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp
    access-list wwy-legacy remark citrix access to QA Leo systems
    access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www
    access-list wwy-legacy remark EDI-Outbound
    access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh
    access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh
    access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh
    access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh
    access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh
    access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh
    access-list wwy-legacy remark Security
    access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp
    access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp
    access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp
    access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp
    access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp
    access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp
    access-list wwy-legacy remark EDI
    access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers
    access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp
    access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp
    access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp
    access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp
    access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh
    access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022
    access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223
    access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224
    access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh
    access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022
    access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223
    access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224
    access-list outside-acl-01 extended deny ip any any
    access-group outside-acl-01 in interface internet-outside

    Hi,
    Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.
    It still uses the "access-group" command to "attach" the access-list as a global access-list
    command format is:
    access-group global
    Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.
    - Jouni

  • Cisco 3550 ACL on VLAN

    i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?

    Hi,
    You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
    regards,
    -amit singh

  • Applying ACL's when copying files using SBM protocol

    I' need to change the default behaviour of CMSDK when I'm copiying a file with Windows Explorer using SBM protocol in this way :
    When I'm copiying a file from some branchs of my tree of directories I want that ACL to apply is the ACL of the original file and not the ACL of the user who is doing the copy. For instance:
    Original file --> 'FILEA' with ACL 'AclA'
    User --> 'Pepe' default ACL 'Acluser'
    Copied file --> 'FILEB'
    CMSDK will copy the 'FILEA' to 'FILEB' with ACL 'Acluser', but I need that ACL of 'FILEB' is 'AclA' and not 'Acluser' ( from the original file FILEA).
    How could I get this ?.
    Thanks.

    This is no possible with SMB protocol. Ask for bug 1672091 to Oracle Support.

  • Applying ACL to a folder (Java API)

    Hi there,
    I am wondering how to apply an ACL to a folder in order that this ACL gets automatically assigned to any LibraryObject (Folder or document) dropped in that folder.
    Any help appreciated,
    Stefano

    Not currently possible. There will be some new features in the
    next release that should make this easier.
    Regards,
    Jerry

  • Route map does not applied on interface vlan

    Hi all,
    could you pls tell me why i can't apply a route-map on an interface vlan,
    belown my config:
    SWBBO(config-if)#ip policy route-map TEST
                               ^
    % Invalid input detected at '^' marker.
    Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Compiled Fri 04-Jan-13 01:38 by prod_rel_team
    ROM: Bootstrap program is C3750E boot loader
    BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
    BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
    System returned to ROM by power-on
    System restarted at 22:12:07 UTC Mon Feb 18 2013
    System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
    Best regards,
    James

    Hi jon,
    belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
    SWBB0#sh sdm prefer
    The current template is "desktop default" template.
    The selected template optimizes the resources in
    the switch to support this level of features for
    8 routed interfaces and 1024 VLANs.
      number of unicast mac addresses:                  6K
      number of IPv4 IGMP groups + multicast routes:    1K
      number of IPv4 unicast routes:                    8K
        number of directly-connected IPv4 hosts:        6K
        number of indirect IPv4 routes:                 2K
      number of IPv6 multicast groups:                  64
      number of directly-connected IPv6 addresses:      74
      number of indirect IPv6 unicast routes:           32
      number of IPv4 policy based routing aces:         0
      number of IPv4/MAC qos aces:                      0.5K
      number of IPv4/MAC security aces:                 0.875k
      number of IPv6 policy based routing aces:         0
      number of IPv6 qos aces:                          0
      number of IPv6 security aces:                     60

  • Applying acl to resources

    Hi,
    if I have a folder hierachy /xxx/yyy/zzz/*.xml. then I create myacl.xml, put it to /sys/acls/myacl.xml.
    call DBMS_XDB.setACL('/xxx', '/sys/acls/myacl.xml');
    will myacl will apply to all the subfolders and files along the hierachy? It seems not, so how can I apply one acl file to all my resources under /xxx easily?
    thanks a lot,
    Haili

    We're considering a recursive version of setACL for a future release... In the meantime you'll need your own PL/SQL block to do this..
    SQL>
    SQL> set serveroutput on
    SQL> --
    SQL> declare
      2    cursor getDocuments is
      3           select any_path
      4             from resource_view
      5            where under_path(res,'/home/SCOTT') = 1;
      6  begin
      7    for doc in getDocuments loop
      8      dbms_xdb.setAcl(doc.any_path, '/sys/acls/all_owner_acl.xml');
      9    end loop;
    10    commit;
    11  end;
    12  /
    PL/SQL procedure successfully completed.
    SQL>Message was edited by:
    mdrake

  • Applying ACL (setAcl) to Versioned Document in java - Exception thrown

    Hello.,
    I am creating a new versioned document object and trying to apply an acl using doc.setAcl();
    However I receive an exception on the step where I am trying to set the ACL (below are the exceptions with IfsException.setVerboseMessage(true) )
    oracle.ifs.common.IfsException: IFS-30043: Insufficient access to change PublicObjects Owner
    oracle.ifs.common.IfsException: IFS-10204: Cannot update security settings for a PublicObject that has a SecuringPublicObject reference
    Exact same code works when it is not a versioned document.
    What do I need to do extra, to take care of versioned documents.
    Thanks,

    Hi,
    I too try to upload a documet throug web service proxies in java.
    Step followed are
    1. login using login service
    2. upload document using documentContentService
    3. createDocument using DocumentService
    The last step to createDocument in DocumentServicealwyas returns No valid session exists, though i try to do service calls in stateful session.
    Kindly help, if you have any solution for this.
    Regards,
    Bala

  • Applying ACLs to Composite Application Views

    Is it possible to do the following?
    - We have a Composite Application with multiple views (Research, Reports, Admin)
    - We'd like for the Admin View to only be displayed for a specific CRX group
    - Can I set an ACL on the View node under the Application to accomplish this?

    Yes, this is possible by setting up ACLs on the nodes in CRX. The upcoming service pack will have a sample of how to do this - look for the mosaic-accesscontrol-pkg very soon in an updated samples package on packageshare.

  • Reg: ACLs

    HI Experts,
    In my lab setup i configured Cisco 3560 switch.
    VLAN 20 and VLAN 30 i configured.
    VLAN 20 interface IP : 192.168.20.1/24
    VLAN 30 interface IP : 192.168.30.1/24.
    Inter-vlan communication is happening fine.
    For testing for purpose i configured extended ACLs.
    Here is my requirement:
    i want stop communication from VLAN 30 to VLAN 20 but not vice-versa.
    Here i configured like this:
    access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
    access-list 111 permit ip any any
    applied ACL in VLAN 30 interface 'in' direction.
    ip access-group 111 in
    In this scenario, communication is stopping in both directions.
    If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
    From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement)
    So, solution needed to communicate from VLAN 20 to VLAN 30.
    Regards,
    Janardhan

    Hello,
    What if you do a reflexive ACL on the .20 vlan.
    ip access-list extended test
    permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 reflect test-123
    ip access-list extended inbound-packets
      evaluate test-123
    interface fastethernet 0/1.20
    ip access-group test out
    ip access-group inbound-packets in
    Please let me know the result of this.
    Regards,
    Julio

  • ACL applied to Vlan interfaces

    I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
    It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
    I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
    Is there some method to quickly know when these ACL should be applied in one direction or another?
    Thanks for your time.

    It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.

Maybe you are looking for

  • Need help in highlighting the query text in document

    Hi, I am trying to load the files in the blob column and trying to create the text index on it. i need to query the blob column in the document table with a string, which needs to return the relevant documents with the query string highlighted with s

  • T60 Battery failure

    Hi guys. I have a problem. I have laptop T60 with original battery. The last night everythins was OK - the condition in Power manager was GOOD, charging cycle - 145. But today I cannot ude my battery - the battery indicator just blinking and when I t

  • Profit Center Reporting in a different currency

    Hello, We have a follwoing requirement. Can you please have a look and suggest how this can be met. We  have a number of company codes which have their own company code currencies viz. GBP, EUR, INR, JPY and USD. Our controlling area currency is USD.

  • How to block a delivery

    Dear Gurus, My question is once a delivery is created and saved, due to some reasons I need to block it from furthur processing, that is, no one should be able to do PGI. I dont want to delet it since I need to keep a track of these kinds of document

  • Upload Location Problem

    Hi all, I have a web application which is used to upload file to the server. I used Java web services developer pack (Tomcat). The tomcat is running from a Windows 2000 small business server and other users just share a drive of that server and they