access-list implementation

Unanswered Question
Jun 17th, 2007

Hi,


I need to implement an access-list


1 to allow ftp access to a client machine

2 block all incoming and outgoing traffic to and from the LAN


for example ip 172.9.2.2 of vlan 1 needs to have access to ip 192.168.2.2 of vlan 2. Block all other traffic. Access-list needs to be implemented on vlan2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anand Narayana Mon, 06/18/2007 - 00:16

Hi Seetharaman,

the command for your setup is....


access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any


Assuming 192.168.2.2 is the ftp server where only 172.9.2.2 should access the ftp service.

a.seetharaman Mon, 06/18/2007 - 01:23

Hi Anandanarayan


yes 192.168.2.2 is ftp server. Also 192.168.2.2 should not be allowed access any resource of any other systems of vlan 1.


kindly let me know the access-group should be bound as in or out in vlan 2 interface.


Anand Narayana Mon, 06/18/2007 - 02:21

Hi Seetharaman,

on vlan 2 interface the be "in"


ie.


interface vlan 2

ip address x.x.x.x x.x.x.x

ip access-group 101 in


with the previously mentioned command in my earlier post, vlan 2 will not be accessible by any other vlans. including vlan 1.

Anand Narayana Tue, 06/19/2007 - 04:24

Hi Seetharaman,

can i know what command you have issued? juz paste the configuration.

acomiskey Tue, 06/19/2007 - 05:07

How you have the acl written, it should be applied into vlan 1. You need to look at it as the acl being applied into the interface which is a member of vlan 1, since the source in your acl is a vlan 1 address. Being applied into vlan 2 will have no effect as a 172. address will never be the source going "into" a vlan 2 port. The other alternative would be to apply the acl as "out" of vlan 2.


access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any



int vlan 1

ip access-group 101 in

Actions

This Discussion