IP Access List Question

Unanswered Question
Aug 12th, 2009
User Badges:

Not an access list guy. Never had to do much of it...until today.


I hae a 3750 switch. Ports 1-4 are VLAN100 the rest are VLAN 1. I have a host 10.10.10.10 that needs to talk to the NTP server plugged into port 4 at 10.100.100.100. I don't want that host to talk to anyone else on that network.


I was just going to go to config mode and do an ip access-list 101 10.10.10.10 0.0.0.0 10.100.100.100 0.0.0.0 and thats it.


Anything better than that?


James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jfraasch Wed, 08/12/2009 - 05:33
User Badges:

One other quick question. On the 3750s, are the ports switchports by default? Or do I need to enter the command "switchport" on all interfaces to make them switchports?


Thanks again.

Collin Clark Wed, 08/12/2009 - 05:45
User Badges:
  • Purple, 4500 points or more

That would block everyone else too! Try something like-


ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip host 10.10.10.10 any

permit ip any any


Hope that helps.

jfraasch Wed, 08/12/2009 - 06:52
User Badges:

I do want to block everyone else. Sorry I wasn't clear about that.


No other host on the 10.10.10 network should be able to go to VLAN 100.


James

Collin Clark Wed, 08/12/2009 - 06:55
User Badges:
  • Purple, 4500 points or more

Your more permissive statements should be at the top and then restrict down.


ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip 10.10.10.0 0.0.0.255 any


Jon Marshall Wed, 08/12/2009 - 05:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


access-list 101 permit udp host 10.10.10.10 host 10.100.100.100 eq 123

access-list 101 deny ip host 10.10.10.10 10.100.100.0 0.0.0.255

access-list 101 permit ip any any


int vlan 1

ip access-group 101 in


the above will acl will -


1) allow 10.10.10.10 to use NTP with 10.100.100.100


2) stop all other traffic from 10.10.10.10 to any device on 10.100.100.0/24 network


3) allow all other traffic from either 10.10.10.10 to any other device ie. not a device on vlan 100


4) allow all traffic from every other device on 10.10.10.x network to any other device including all devices on vlan 100



Yes, by default ports are switchports.


Jon

jfraasch Wed, 08/12/2009 - 06:50
User Badges:

If I wanted all other hosts to be blocked from the 10.100.100.x network I would just not add the permit ip any any command, correct?


Also, you are simply locking the host access to the server down to the NTP protocol port. The way I had it would have allowed any type of connection between the devices.


Cool. That makes sense. Thanks.


Oh, I then have to apply the access list to VLAN 1. Forgot about that.


James

John Blakley Wed, 08/12/2009 - 07:24
User Badges:
  • Purple, 4500 points or more

Yes, and you'd apply it in the INBOUND direction.


HTH,

John

Actions

This Discussion