ACL for Permittin only UDP port to Internet

Answered Question
Feb 8th, 2009
User Badges:

Hi


I am configuring a 3560 switch has 3 VLANs i.e.

vlan 223 - server - 10.4.223.0 /24 - 10.4.223.1

vlan 224 - user - 10.4.224.0 /24 - 10.4.224.1

vlan 225. - internet - 10.4.225.0 /24 - 10.4.225.2

10.4.225.1 is the gw for isp from the switch which i am using as a next hop on the switch.


vlan 225 in which a isp is conneced for internet, i want only to allow only udp for 10.4.223.2. rest ips should not go to the internet but vlan 224 and vlan 225 should access vlan 223.


i am writing the access list but it's not working


ip access-list extended Subnet_Vlan223


permit udp any 10.4.223.1 0.0.0.255 eq 53


deny ip host 10.4.225.1 10.4.224.3 0.0.0.252 - i want from 10.4.224.3-254 host should be blocked from communicating with 10.4.225.1


permit ip any any


interface Vlan223

ip access-group Subnet_Vlan223 in


regards

saurav

Correct Answer by Daniel Laden about 8 years 3 months ago

The first IP should be the source and the second destination. Since this is a inbound access-list, your ACL looks backwards.


The deny statement may need to be written as two lines: allow .2 to access .1, deny the whole Class C network from getting to .1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Daniel Laden Sun, 02/08/2009 - 21:52
User Badges:
  • Cisco Employee,

The first IP should be the source and the second destination. Since this is a inbound access-list, your ACL looks backwards.


The deny statement may need to be written as two lines: allow .2 to access .1, deny the whole Class C network from getting to .1


sauravcgc Thu, 03/12/2009 - 12:43
User Badges:

Hi Den


Thanks for your great help.


Regards

Saurav

Actions

This Discussion