Lock down the server subnet without locking yourself out

Scenario

Security wants the server subnet locked down. The policy:

• The user LAN may reach server 10.0.2.10 on TCP 80 and 443 only.
• All other user access to the server subnet is denied.
• The admin host (10.0.9.5) keeps full access.
• Nothing else on the network should break.

Topology

• User LAN 10.0.1.0/24 (user host 10.0.1.10)
• Admin LAN 10.0.9.0/24 (admin host 10.0.9.5)
• Server subnet 10.0.2.0/24 (server 10.0.2.10, listening on 80, 443, and 22)
• A router routes between all three; everything is reachable with no filter yet.

Your job

Write the ACL, apply it on the correct interface and direction, and get the ordering right so the policy holds and nothing unrelated breaks.

What "done" looks like

Web (80/443) from a user host to the server works; other ports to the server subnet are denied from users; the admin host is unaffected; nothing else breaks.

Teaches: ACL ordering, direction, the implicit deny, and the classic "don't lock yourself out" lesson.

Tooling

Arista cEOS (native ACL syntax matches what learners study). Free fallback: nftables on a Linux router. Validate syntax on first deploy.