ACL for Permittin only UDP port to Internet

Answered Question
Feb 8th, 2009

Hi

I am configuring a 3560 switch has 3 VLANs i.e.

vlan 223 - server - 10.4.223.0 /24 - 10.4.223.1

vlan 224 - user - 10.4.224.0 /24 - 10.4.224.1

vlan 225. - internet - 10.4.225.0 /24 - 10.4.225.2

10.4.225.1 is the gw for isp from the switch which i am using as a next hop on the switch.

vlan 225 in which a isp is conneced for internet, i want only to allow only udp for 10.4.223.2. rest ips should not go to the internet but vlan 224 and vlan 225 should access vlan 223.

i am writing the access list but it's not working

ip access-list extended Subnet_Vlan223

permit udp any 10.4.223.1 0.0.0.255 eq 53

deny ip host 10.4.225.1 10.4.224.3 0.0.0.252 - i want from 10.4.224.3-254 host should be blocked from communicating with 10.4.225.1

permit ip any any

interface Vlan223

ip access-group Subnet_Vlan223 in

regards

saurav

I have this problem too.
0 votes
Correct Answer by Daniel Laden about 7 years 11 months ago

The first IP should be the source and the second destination. Since this is a inbound access-list, your ACL looks backwards.

The deny statement may need to be written as two lines: allow .2 to access .1, deny the whole Class C network from getting to .1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Daniel Laden Sun, 02/08/2009 - 21:52

The first IP should be the source and the second destination. Since this is a inbound access-list, your ACL looks backwards.

The deny statement may need to be written as two lines: allow .2 to access .1, deny the whole Class C network from getting to .1

Actions

This Discussion