I need help setting up an ACL on a cisco 3550. I have a server on it that isn't supported by our department, and for many reasons, need to deny access from that server to a range of IP addresses.
i.e. We want to deny all traffic from that server to 192.168.0.0 -->
192.168.0.40 and vise versa. Except for ONE ip in that group,
192.168.0.24 which has DHCP, DNS running on it. I would like the server to be able to talk to any workstation, 192.168.0.41 -->
192.168.2.253, just not any servers.
As it's the 'untrusted' server I'd apply an ACL 'incoming' onto the vlan interface of its subnet. This stops it from initiating a DOS attack on hosts beyond that gateway while stops any return traffic associated with hosts attempting to connect to it.
I suggest you list the permits first then deny all else from that server and log to see what it's doing. Due to the explicit deny at the end you may want to permit all other traffic. As DHCP is broadcast you'll need to allow it access to 'any'
This was done in a rush and open for sanity checking.
int vlan ip access-group in
ip access-list extended remark dhcp permit udp host any eq 67 permit udp host any eq 68
remark dns server permit udp host host 192.168.0.24 eq 53
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.