access-list implementation

Unanswered Question
Jun 17th, 2007


I need to implement an access-list

1 to allow ftp access to a client machine

2 block all incoming and outgoing traffic to and from the LAN

for example ip of vlan 1 needs to have access to ip of vlan 2. Block all other traffic. Access-list needs to be implemented on vlan2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anand Narayana Mon, 06/18/2007 - 00:16

Hi Seetharaman,

the command for your setup is....

access-list 101 permit tcp host host eq 21

access-list 101 deny ip any any

Assuming is the ftp server where only should access the ftp service.

a.seetharaman Mon, 06/18/2007 - 01:23

Hi Anandanarayan

yes is ftp server. Also should not be allowed access any resource of any other systems of vlan 1.

kindly let me know the access-group should be bound as in or out in vlan 2 interface.

Anand Narayana Mon, 06/18/2007 - 02:21

Hi Seetharaman,

on vlan 2 interface the be "in"


interface vlan 2

ip address x.x.x.x x.x.x.x

ip access-group 101 in

with the previously mentioned command in my earlier post, vlan 2 will not be accessible by any other vlans. including vlan 1.

Anand Narayana Tue, 06/19/2007 - 04:24

Hi Seetharaman,

can i know what command you have issued? juz paste the configuration.

acomiskey Tue, 06/19/2007 - 05:07

How you have the acl written, it should be applied into vlan 1. You need to look at it as the acl being applied into the interface which is a member of vlan 1, since the source in your acl is a vlan 1 address. Being applied into vlan 2 will have no effect as a 172. address will never be the source going "into" a vlan 2 port. The other alternative would be to apply the acl as "out" of vlan 2.

access-list 101 permit tcp host host eq 21

access-list 101 deny ip any any

int vlan 1

ip access-group 101 in


This Discussion