Access list - help

Unanswered Question
Feb 6th, 2008

Hi.

I would like to only allow some traffic between a couple of servers on a VLAN and on a remote site .and block the other traffic

from example If I do :

access-list 180 permit host 10.1.1.1 host 10.2.2.2

and

Int VLAN 599

ip access-g 180 in

Imagine that 10.1.1.1 is a member of my VLAN servers

Imagine that VLAN 599 is where my router is connected to connect to 10.2.2.2

as far as I understand , this acl will only allow 10.1.1.1 to connect to 10.2.2.2

Will that block 10.2.2.2 to connect to 10.1.1.1

or do I need another ACL like :

access-list 181 permit host 10.2.2.2 host 10.1.1.1

int vlan 599

ip access-g 181 out ??????

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.cruea1980 Wed, 02/06/2008 - 10:07

No, you don't need another ACL.

VLANs allow traffic through by default. Your "ip access-g 180 in" should work just fine.

trombidz1 Thu, 02/07/2008 - 01:03

ok

How about if I have another host 10.2.2.3 on the remote site ?

will the traffic be blocked from 10.1.1.1 to 10.2.2.3 as well ?

Jon Marshall Thu, 02/07/2008 - 01:31

Hi

Not sure i fully understand your topology.

Is vlan 599 the vlan where 10.2.2.2 lives or 10.1.1.1.

If it is 10.2.2.2 then your access-list applied on the vlan 599 interface inbound will have no effect ie.

your access-list says permit ip (presumably) from 10.1.1.1 to 10.2.2.2.

If vlan 599 is the vlan for 10.1.1.1 then it will work fine. But if vlan 599 is the vlan for 10.2.2.2 then it will actually block the return traffic and it will do this because of the implicit deny at the end of access-list 180 because the return traffic is

source 10.2.2.2 destination 10.1.1.1 which doesn't match the "access-list 180 permit ip host 10.1.1.1 host 10.2.2.2. However there is an implict deny at the end of access-lust 180 so it will be dropped.

So if vlan 599 is the vlan for 10.2.2.2 you need to apply acl 180 inbound on the vlan interface that connects to 10.1.1.1.

Does this make sense ?

Jon

trombidz1 Thu, 02/07/2008 - 01:41

ok I clarify

10.1.1.1 is in vlan 599

source is 10.1.1.1

destinations are 10.2.2.2 and 10.2.2.3

my acl is

access-list 180 permit host 10.1.1.1 host 10.2.2.2

Int VLAN 599

ip access-g 180 in

So ,

1) do I need :

access-list 180 permit host 10.2.2.2 host 10.1.1.1 to allow the return traffic ?

2) Do I need to do something on my acl to deny traffic from 10.2.2.2 to 10.1.1.1 ?

Jon Marshall Thu, 02/07/2008 - 01:48

1) No you don't because ACL 180 is only applied inbound on interface vlan 599. So when the return traffic comes back from 10.2.2.2 it will be be outbound traffic on vlan 599 and as you don't have an acl in the outbound direction you will be fine.

2) Do you mean 10.2.2.3 and not 10.2.2.2 because i thought you wanted to allow traffic to and from 10.2.2.2 ?

Assuming 10.2.2.3

if all your access-list 180 says is

access-list 180 permit ip host 10.1.1.1 host 10.2.2.2

then you have an implicit deny at the end of the acl so in effect all traffic from vlan 599 will be blocked except traffic from 10.1.1.1 to 10.2.2.2.

If this is not what you want

access-list 180 deny host 10.1.1.1 host 10.2.2.3

access-list 180 permit ip any any

ie. only stop traffic from vlan 599 to 10.2.2.3.

If you want to actually stop 10.2.2.3 from intiating a connection to 10.1.1.1 then

access-list 181 deny ip host 10.2.2.3 host 10.1.1.1

access-list 181 permit ip any any

then apply to interface that 10.2.2.3 lives on eg.

vlan 600

ip access-group 181 in

HTH

Jon

trombidz1 Fri, 02/08/2008 - 02:50

Hi

Ok thanks

last one :

is it possible to put to different access-group on an interface

inter fa 0/0

ip access-group 180 out

ip access-group 190 in

?

Jon Marshall Fri, 02/08/2008 - 02:54

Yes, you can have one inbound and one outbound access-list on an interface.

Jon

Actions

This Discussion