Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
4
Replies

Applying ACL into CSS11500

Go to solution
hassan_oudeh
Level 1
Level 1

‎03-27-2007 12:13 PM

Guys, please i want help regarding to acl applying on the circit?

i have two vlans trunked into the CSS i want to permit only port 1080 from lets say VLAN1 to VLAN2

but when applying the clasuses into vlan1 only or vlan2 only the acl is not working (i mean server from vlan1 still ping server in vlan2)

BUT i tried to apply on both vlan1 and vlan2 its working fine !!!!!

im totally lost and confused... i just tried it as a last try and it worked !!

please any body can tell me the logic of applying the ACL into the VLAN Circuit ? where ? near to the source or near the destination ??

Thanks,

Hasan Odeh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
joquesada
Level 1
Level 1
In response to hassan_oudeh

‎03-30-2007 09:52 AM

Hi Hasan,

The ACL needs to be applied on VLAN 2073, but you need to create a second ACL on VLAN 2074 with a permit any any statement. As per the configuration you sent me, the ACL seems properly configured, except that VLAN 2074 is on ACL 1.

Leave ACL 1 as it is but remove the line ?apply circuit-(VLAN2074)? ( use the command ?remove circuit-(VLAN2074)?

Then create an ACL 2 that looks like this:

ACL 2

clause 17 permit any any destination any

apply circuit-(VLAN2074)

Then, do not forget to enable the acls globally on the CSS with this command: ?(config)#acl enable?

One thing to remember, if you are doing a telnet to the CSS, make sure that your source IP is not on the VLAN 2073 when you enable the acls globally, or you will be disconnected and try not to do this in production. Thanks!

Regards,

Jose.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
joquesada
Level 1
Level 1

‎03-29-2007 07:48 PM

Hi Hasan,

The ACLs on a CSS are applied to the traffic that comes into a VLAN, this means it is applied to the ingress traffic.

I don?t know what configuration you had when it wasn?t working and when it was working. I would gladly look at it if you want to explain what was the configuration of the CSS and what configuration you have right now. Thanks!

Regards,

Jose Quesada.

0 Helpful

Go to solution
hassan_oudeh
Level 1
Level 1
In response to joquesada

‎03-30-2007 12:30 AM

Hi Jose,

Please Check the attached txt file maybee i missed something ?!

what i need form ACL :

permit only two servers 10.0.207.71/28 and 10.0.207.72/48 (on vlan 2073) to access HIS servers (on vlan2074) on prot 1080 and deny every thing else....

where should i apply the ACL ? on vlan1073 or/and vlan2074 ??

Thanks in advance

Hasan Odeh

Preview file
3 KB
0 Helpful

Go to solution
joquesada
Level 1
Level 1
In response to hassan_oudeh

‎03-30-2007 09:52 AM

Hi Hasan,

The ACL needs to be applied on VLAN 2073, but you need to create a second ACL on VLAN 2074 with a permit any any statement. As per the configuration you sent me, the ACL seems properly configured, except that VLAN 2074 is on ACL 1.

Leave ACL 1 as it is but remove the line ?apply circuit-(VLAN2074)? ( use the command ?remove circuit-(VLAN2074)?

Then create an ACL 2 that looks like this:

ACL 2

clause 17 permit any any destination any

apply circuit-(VLAN2074)

Then, do not forget to enable the acls globally on the CSS with this command: ?(config)#acl enable?

One thing to remember, if you are doing a telnet to the CSS, make sure that your source IP is not on the VLAN 2073 when you enable the acls globally, or you will be disconnected and try not to do this in production. Thanks!

Regards,

Jose.

0 Helpful

Go to solution
hassan_oudeh
Level 1
Level 1
In response to joquesada

‎03-30-2007 12:02 PM

Dear Jose,

Thanks alot for your help, i think i got the idea i will try to apply what u told..

i woulf like to ask another question in a new case please see it if you can help,

Best Wishes,

Hasan Odeh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents