access-list implementation

Unanswered Question
Jun 17th, 2007
User Badges:

Hi,


I need to implement an access-list


1 to allow ftp access to a client machine

2 block all incoming and outgoing traffic to and from the LAN


for example ip 172.9.2.2 of vlan 1 needs to have access to ip 192.168.2.2 of vlan 2. Block all other traffic. Access-list needs to be implemented on vlan2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anand Narayana Mon, 06/18/2007 - 00:16
User Badges:
  • Silver, 250 points or more

Hi Seetharaman,

the command for your setup is....


access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any


Assuming 192.168.2.2 is the ftp server where only 172.9.2.2 should access the ftp service.

a.seetharaman Mon, 06/18/2007 - 01:23
User Badges:

Hi Anandanarayan


yes 192.168.2.2 is ftp server. Also 192.168.2.2 should not be allowed access any resource of any other systems of vlan 1.


kindly let me know the access-group should be bound as in or out in vlan 2 interface.


Anand Narayana Mon, 06/18/2007 - 02:21
User Badges:
  • Silver, 250 points or more

Hi Seetharaman,

on vlan 2 interface the be "in"


ie.


interface vlan 2

ip address x.x.x.x x.x.x.x

ip access-group 101 in


with the previously mentioned command in my earlier post, vlan 2 will not be accessible by any other vlans. including vlan 1.

a.seetharaman Mon, 06/18/2007 - 05:46
User Badges:

Dear Ananda narayan


Its not happening. I opened both 20 and 21 port

Anand Narayana Tue, 06/19/2007 - 04:24
User Badges:
  • Silver, 250 points or more

Hi Seetharaman,

can i know what command you have issued? juz paste the configuration.

acomiskey Tue, 06/19/2007 - 05:07
User Badges:
  • Green, 3000 points or more

How you have the acl written, it should be applied into vlan 1. You need to look at it as the acl being applied into the interface which is a member of vlan 1, since the source in your acl is a vlan 1 address. Being applied into vlan 2 will have no effect as a 172. address will never be the source going "into" a vlan 2 port. The other alternative would be to apply the acl as "out" of vlan 2.


access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any



int vlan 1

ip access-group 101 in

Actions

This Discussion