Catalyst 3750 Switch - Access List Problem

Unanswered Question
Mar 25th, 2008

hello all,

We are using 3750 Switch with 4 Vlan.

vlan 1 is configured with

Vlan 2 is confiugred with segment

and like wise vlan 3 and 4.

I had given an access list on vlan 2 to stop access of all only permit specified host.


interface Vlan1

ip address

standby 10 ip

standby 10 priority 110


interface Vlan2

ip address

ip access-group TEMP in

standby 20 ip

standby 20 priority 110

interface Vlan3

ip address

standby 30ip

standby 30 priority 110

ip access-list extended TEMP

permit ip host

permit ip host

permit udp any any

when I have applied on vlan 2 than I can not ping from this Swtich but from all other wich host do not have acces can also ping segment which I want to deny.

Pls help me soon..............

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
connect2world Tue, 03/25/2008 - 02:01

Your last statement permit udp any any, should be deny ip any any. But before you do that, you might want to allow you the ip from which you manage the switch.

Dipesh Patel Tue, 03/25/2008 - 03:23

Dear Sir,

yet also Every one can access .... There is no effect of Access list .......

psl help

mahmoodmkl Tue, 03/25/2008 - 03:31


U r permitting all the ips from the specifeid subnets to access the two hosts.try to access any other hosts and check.

And what is the ip of the system and it is in which vlan..?



Dipesh Patel Tue, 03/25/2008 - 03:48

dear all,

here is the confiugration in attachment .............

Though I have applied Access-list all can access this segment.

pls give the suggation ASAP.

mahmoodmkl Tue, 03/25/2008 - 04:07


What is the source of u r traffic i think u want everyone to access the hosts specifed in the list.U r not denying anyone else to access u r subnet ie. think u r confused and not able to understand u r requirement.

if u want the hosts specifed in the list to access this subnet then u need to change the order of the list.

access-list permit host (ip addresss)

make all u r entries

and apply the access-list as outbound to ur interface.



Dipesh Patel Tue, 03/25/2008 - 04:35

Dear mehmood,

I want to secure NW from all outside Hosts..only the hosts specified in Access list can access this NW ....this is my requirement.

as per you give me the configuration idea.

mahmoodmkl Tue, 03/25/2008 - 04:41


U need to define the access-list as follows

access-list extended permit host

access-list extended permit host

access-list extended permit host

permit udp any any

deny ip any any

interface vlan 2

ip access-group extended out



mattcalderon Tue, 03/25/2008 - 04:44

There is an implicit deny at the end of an ACL. You don't have to specify it.

hobbe Thu, 03/27/2008 - 07:48

This is true.

However if you do want logging or hitcount to work with it then you would have to add the line into the access-list.


This Discussion