Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Applying ACL into CSS11500

Guys, please i want help regarding to acl applying on the circit?

i have two vlans trunked into the CSS i want to permit only port 1080 from lets say VLAN1 to VLAN2

but when applying the clasuses into vlan1 only or vlan2 only the acl is not working (i mean server from vlan1 still ping server in vlan2)

BUT i tried to apply on both vlan1 and vlan2 its working fine !!!!!

im totally lost and confused... i just tried it as a last try and it worked !!

please any body can tell me the logic of applying the ACL into the VLAN Circuit ? where ? near to the source or near the destination ??

Thanks,

Hasan Odeh

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Applying ACL into CSS11500

Hi Hasan,

The ACL needs to be applied on VLAN 2073, but you need to create a second ACL on VLAN 2074 with a permit any any statement. As per the configuration you sent me, the ACL seems properly configured, except that VLAN 2074 is on ACL 1.

Leave ACL 1 as it is but remove the line ?apply circuit-(VLAN2074)? ( use the command ?remove circuit-(VLAN2074)?

Then create an ACL 2 that looks like this:

ACL 2

clause 17 permit any any destination any

apply circuit-(VLAN2074)

Then, do not forget to enable the acls globally on the CSS with this command: ?(config)#acl enable?

One thing to remember, if you are doing a telnet to the CSS, make sure that your source IP is not on the VLAN 2073 when you enable the acls globally, or you will be disconnected and try not to do this in production. Thanks!

Regards,

Jose.

4 REPLIES
Bronze

Re: Applying ACL into CSS11500

Hi Hasan,

The ACLs on a CSS are applied to the traffic that comes into a VLAN, this means it is applied to the ingress traffic.

I don?t know what configuration you had when it wasn?t working and when it was working. I would gladly look at it if you want to explain what was the configuration of the CSS and what configuration you have right now. Thanks!

Regards,

Jose Quesada.

New Member

Re: Applying ACL into CSS11500

Hi Jose,

Please Check the attached txt file maybee i missed something ?!

what i need form ACL :

permit only two servers 10.0.207.71/28 and 10.0.207.72/48 (on vlan 2073) to access HIS servers (on vlan2074) on prot 1080 and deny every thing else....

where should i apply the ACL ? on vlan1073 or/and vlan2074 ??

Thanks in advance

Hasan Odeh

Bronze

Re: Applying ACL into CSS11500

Hi Hasan,

The ACL needs to be applied on VLAN 2073, but you need to create a second ACL on VLAN 2074 with a permit any any statement. As per the configuration you sent me, the ACL seems properly configured, except that VLAN 2074 is on ACL 1.

Leave ACL 1 as it is but remove the line ?apply circuit-(VLAN2074)? ( use the command ?remove circuit-(VLAN2074)?

Then create an ACL 2 that looks like this:

ACL 2

clause 17 permit any any destination any

apply circuit-(VLAN2074)

Then, do not forget to enable the acls globally on the CSS with this command: ?(config)#acl enable?

One thing to remember, if you are doing a telnet to the CSS, make sure that your source IP is not on the VLAN 2073 when you enable the acls globally, or you will be disconnected and try not to do this in production. Thanks!

Regards,

Jose.

New Member

Re: Applying ACL into CSS11500

Dear Jose,

Thanks alot for your help, i think i got the idea i will try to apply what u told..

i woulf like to ask another question in a new case please see it if you can help,

Best Wishes,

Hasan Odeh

121
Views
0
Helpful
4
Replies
CreatePlease to create content