cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
6
Replies

access-list implementation

a.seetharaman
Level 1
Level 1

Hi,

I need to implement an access-list

1 to allow ftp access to a client machine

2 block all incoming and outgoing traffic to and from the LAN

for example ip 172.9.2.2 of vlan 1 needs to have access to ip 192.168.2.2 of vlan 2. Block all other traffic. Access-list needs to be implemented on vlan2

6 Replies 6

Anand Narayana
Level 6
Level 6

Hi Seetharaman,

the command for your setup is....

access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any

Assuming 192.168.2.2 is the ftp server where only 172.9.2.2 should access the ftp service.

Hi Anandanarayan

yes 192.168.2.2 is ftp server. Also 192.168.2.2 should not be allowed access any resource of any other systems of vlan 1.

kindly let me know the access-group should be bound as in or out in vlan 2 interface.

Hi Seetharaman,

on vlan 2 interface the be "in"

ie.

interface vlan 2

ip address x.x.x.x x.x.x.x

ip access-group 101 in

with the previously mentioned command in my earlier post, vlan 2 will not be accessible by any other vlans. including vlan 1.

Dear Ananda narayan

Its not happening. I opened both 20 and 21 port

Hi Seetharaman,

can i know what command you have issued? juz paste the configuration.

How you have the acl written, it should be applied into vlan 1. You need to look at it as the acl being applied into the interface which is a member of vlan 1, since the source in your acl is a vlan 1 address. Being applied into vlan 2 will have no effect as a 172. address will never be the source going "into" a vlan 2 port. The other alternative would be to apply the acl as "out" of vlan 2.

access-list 101 permit tcp host 172.9.2.2 host 192.168.2.2 eq 21

access-list 101 deny ip any any

int vlan 1

ip access-group 101 in

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco