Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
2
Replies

which way is out and in when looking at an access-list

Go to solution
dan_track
Level 1
Level 1

‎11-11-2008 09:10 AM - edited ‎03-06-2019 02:25 AM

Hi

Just wonderinf if you can calrify something for me as I'm getting confused.

I have two access lists configured on a vlan like so:

vlan 20

ip access-group 140 in

ip access-group 139 out

If I have client "A" in vlan 20 and it wants to communicate with a server "B" in a remote location how do I write the access list to allow "A" to connect to port 3124 on "B" but allow any connections from "B" to "A".

Thanks

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-11-2008 09:16 AM

Dan

An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.

An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.

So

access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)

int vlan 20

ip access-group 101 in

If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic

access-list 102 permit ip host host

int vlan 20

ip access-group 102 out

Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-11-2008 09:16 AM

Dan

An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.

An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.

So

access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)

int vlan 20

ip access-group 101 in

If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic

access-list 102 permit ip host host

int vlan 20

ip access-group 102 out

Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.

Jon

0 Helpful

Go to solution
dan_track
Level 1
Level 1
In response to Jon Marshall

‎11-11-2008 11:22 AM

Brilliant Jon,

Thanks for your help, cleared up a real problem. Don't know what I'd do without you!! :)

Thanks

Dan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card