need help with acl's

Unanswered Question
Jun 9th, 2008

Here is what I have built:

ip access-list extended QA2

10 permit ip any

20 deny ip any log

30 deny ip any log

40 permit tcp any any eq www

50 permit tcp any any eq smtp

60 permit tcp any any eq 443

70 permit tcp any any eq ssh

Basicaly, I want to allow the hosts on QA2 ( access to net for all proto's, and only 22,25,80 and 443 to the internet...

One side question to the above:

I have this QA2 vlan span across 2 core switches (6513's) and have setup hsrp on the 2 vlan interface ( and .3) as

The switch does not have a default gateway. Not sure what I should put it as...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pipsadmin Mon, 06/09/2008 - 09:42

also, this should be on the Vlan interface as an access class QA2 in ... correct? closest to the source?

Richard Burts Mon, 06/09/2008 - 10:01


Here are some comments about your access list:

- yes it should be applied inbound on the VLAN interface where that VLAN is located.

- it should be applied as access-group and not as access-class.

- if it is on the interface where that subnet is located I would suggest changing the source specification of "any" and change it to the subnet of that VLAN.

- you are permitting tcp access for SMTP, web, and ssh, but you are not permitting any DNS traffic. So users will have to specify everything by address and not browse by name. I doubt that is what you had in mind.



pipsadmin Mon, 06/09/2008 - 11:21

OUPS... fergot about the DNS, so how do I resolve that?

Also, the access group should be applied on the vlan interface as :

interface vlan 172

ip access-group QA2 out


Richard Burts Mon, 06/09/2008 - 11:42


resolve the DNS by permit udp any eq 53 any

apply as

interface vlan 172

ip access-group QA2 in



pipsadmin Mon, 06/09/2008 - 11:46

should'nt it be out? as it's leaving the VLAN 172 out to the MSFC, no?

Richard Burts Mon, 06/09/2008 - 11:51


The access list is applied in or out from the perspective of the router/switch interface. Traffic from VLAN 172 into the switch interface is applied in. Traffic from the switch interface out to VLAN 172 is applied out.

So apply your access-group in.




This Discussion