Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP Access List Question

Not an access list guy. Never had to do much of it...until today.

I hae a 3750 switch. Ports 1-4 are VLAN100 the rest are VLAN 1. I have a host 10.10.10.10 that needs to talk to the NTP server plugged into port 4 at 10.100.100.100. I don't want that host to talk to anyone else on that network.

I was just going to go to config mode and do an ip access-list 101 10.10.10.10 0.0.0.0 10.100.100.100 0.0.0.0 and thats it.

Anything better than that?

James

7 REPLIES
New Member

Re: IP Access List Question

One other quick question. On the 3750s, are the ports switchports by default? Or do I need to enter the command "switchport" on all interfaces to make them switchports?

Thanks again.

Re: IP Access List Question

That would block everyone else too! Try something like-

ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip host 10.10.10.10 any

permit ip any any

Hope that helps.

New Member

Re: IP Access List Question

I do want to block everyone else. Sorry I wasn't clear about that.

No other host on the 10.10.10 network should be able to go to VLAN 100.

James

Re: IP Access List Question

Your more permissive statements should be at the top and then restrict down.

ip access-list extended Allow_NTP

permit udp host 10.10.10.10 host 10.100.100.100 eq 123

deny ip 10.10.10.0 0.0.0.255 any

Hall of Fame Super Blue

Re: IP Access List Question

James

access-list 101 permit udp host 10.10.10.10 host 10.100.100.100 eq 123

access-list 101 deny ip host 10.10.10.10 10.100.100.0 0.0.0.255

access-list 101 permit ip any any

int vlan 1

ip access-group 101 in

the above will acl will -

1) allow 10.10.10.10 to use NTP with 10.100.100.100

2) stop all other traffic from 10.10.10.10 to any device on 10.100.100.0/24 network

3) allow all other traffic from either 10.10.10.10 to any other device ie. not a device on vlan 100

4) allow all traffic from every other device on 10.10.10.x network to any other device including all devices on vlan 100

Yes, by default ports are switchports.

Jon

New Member

Re: IP Access List Question

If I wanted all other hosts to be blocked from the 10.100.100.x network I would just not add the permit ip any any command, correct?

Also, you are simply locking the host access to the server down to the NTP protocol port. The way I had it would have allowed any type of connection between the devices.

Cool. That makes sense. Thanks.

Oh, I then have to apply the access list to VLAN 1. Forgot about that.

James

Re: IP Access List Question

Yes, and you'd apply it in the INBOUND direction.

HTH,

John

HTH, John *** Please rate all useful posts ***
137
Views
10
Helpful
7
Replies