IP Access List Question

Unanswered Question
Aug 12th, 2009
User Badges:

Not an access list guy. Never had to do much of it...until today.

I hae a 3750 switch. Ports 1-4 are VLAN100 the rest are VLAN 1. I have a host that needs to talk to the NTP server plugged into port 4 at I don't want that host to talk to anyone else on that network.

I was just going to go to config mode and do an ip access-list 101 and thats it.

Anything better than that?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
jfraasch Wed, 08/12/2009 - 05:33
User Badges:

One other quick question. On the 3750s, are the ports switchports by default? Or do I need to enter the command "switchport" on all interfaces to make them switchports?

Thanks again.

Collin Clark Wed, 08/12/2009 - 05:45
User Badges:
  • Purple, 4500 points or more

That would block everyone else too! Try something like-

ip access-list extended Allow_NTP

permit udp host host eq 123

deny ip host any

permit ip any any

Hope that helps.

jfraasch Wed, 08/12/2009 - 06:52
User Badges:

I do want to block everyone else. Sorry I wasn't clear about that.

No other host on the 10.10.10 network should be able to go to VLAN 100.


Collin Clark Wed, 08/12/2009 - 06:55
User Badges:
  • Purple, 4500 points or more

Your more permissive statements should be at the top and then restrict down.

ip access-list extended Allow_NTP

permit udp host host eq 123

deny ip any

Jon Marshall Wed, 08/12/2009 - 05:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


access-list 101 permit udp host host eq 123

access-list 101 deny ip host

access-list 101 permit ip any any

int vlan 1

ip access-group 101 in

the above will acl will -

1) allow to use NTP with

2) stop all other traffic from to any device on network

3) allow all other traffic from either to any other device ie. not a device on vlan 100

4) allow all traffic from every other device on 10.10.10.x network to any other device including all devices on vlan 100

Yes, by default ports are switchports.


jfraasch Wed, 08/12/2009 - 06:50
User Badges:

If I wanted all other hosts to be blocked from the 10.100.100.x network I would just not add the permit ip any any command, correct?

Also, you are simply locking the host access to the server down to the NTP protocol port. The way I had it would have allowed any type of connection between the devices.

Cool. That makes sense. Thanks.

Oh, I then have to apply the access list to VLAN 1. Forgot about that.


John Blakley Wed, 08/12/2009 - 07:24
User Badges:
  • Purple, 4500 points or more

Yes, and you'd apply it in the INBOUND direction.




This Discussion