Catalyst 3750 Switch - Access List Problem

Unanswered Question
Mar 25th, 2008
User Badges:

hello all,


We are using 3750 Switch with 4 Vlan.


vlan 1 is configured with 192.168.121.0 255.255.255.0


Vlan 2 is confiugred with 192.168.122.0 255.255.255.0 segment


and like wise vlan 3 and 4.


I had given an access list on vlan 2 to stop access of all only permit specified host.


e.g


interface Vlan1

ip address 192.168.121.1 255.255.255.0

standby 10 ip 192.168.121.5

standby 10 priority 110

!

interface Vlan2

ip address 192.168.122.1 255.255.255.0

ip access-group TEMP in

standby 20 ip 192.168.122.5

standby 20 priority 110


interface Vlan3

ip address 192.168.123.1 255.255.255.0

standby 30ip 192.168.123.5

standby 30 priority 110


ip access-list extended TEMP

permit ip 192.168.122.0 0.0.0.255 host 192.168.123.3

permit ip 192.168.122.0 0.0.0.255 host 10.31.2.120

permit udp any any



when I have applied on vlan 2 than I can not ping from this Swtich but from all other wich host do not have acces can also ping 192.168.122.0 segment which I want to deny.


Pls help me soon..............


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
connect2world Tue, 03/25/2008 - 02:01
User Badges:

Your last statement permit udp any any, should be deny ip any any. But before you do that, you might want to allow you the ip from which you manage the switch.

Dipesh Patel Tue, 03/25/2008 - 03:23
User Badges:

Dear Sir,



yet also Every one can access .... There is no effect of Access list .......



psl help

mahmoodmkl Tue, 03/25/2008 - 03:31
User Badges:
  • Gold, 750 points or more

HI


U r permitting all the ips from the specifeid subnets to access the two hosts.try to access any other hosts and check.

And what is the ip of the system and it is in which vlan..?


Thanks

Mahmood

Dipesh Patel Tue, 03/25/2008 - 03:48
User Badges:

dear all,


here is the confiugration in attachment .............



Though I have applied Access-list all can access 192.168.122.0 this segment.

pls give the suggation ASAP.



Attachment: 
mahmoodmkl Tue, 03/25/2008 - 04:07
User Badges:
  • Gold, 750 points or more

HI


What is the source of u r traffic i think u want everyone to access the hosts specifed in the list.U r not denying anyone else to access u r subnet ie.192.168.122.0.I think u r confused and not able to understand u r requirement.


if u want the hosts specifed in the list to access this subnet then u need to change the order of the list.


access-list permit host (ip addresss) 192.168.122.0 0.0.0.255

make all u r entries

and apply the access-list as outbound to ur interface.




Thanks

Mahmood

Dipesh Patel Tue, 03/25/2008 - 04:35
User Badges:

Dear mehmood,


I want to secure 192.168.122.0 NW from all outside Hosts..only the hosts specified in Access list can access this NW ....this is my requirement.


as per you give me the configuration idea.



mahmoodmkl Tue, 03/25/2008 - 04:41
User Badges:
  • Gold, 750 points or more

HI


U need to define the access-list as follows


access-list extended permit host 192.22.19.16 192.168.122.0 0.0.0.255

access-list extended permit host 192.44.108.110 192.168.122.0 0.0.0.255

access-list extended permit host 192.2.219.91 192.168.122.0 0.0.0.255

permit udp any any

deny ip any any


interface vlan 2

ip access-group extended out


Thanks

Mahmood

mattcalderon Tue, 03/25/2008 - 04:44
User Badges:
  • Silver, 250 points or more

There is an implicit deny at the end of an ACL. You don't have to specify it.

hobbe Thu, 03/27/2008 - 07:48
User Badges:
  • Gold, 750 points or more

This is true.

However if you do want logging or hitcount to work with it then you would have to add the line into the access-list.


Actions

This Discussion