Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

which way is out and in when looking at an access-list

Hi

Just wonderinf if you can calrify something for me as I'm getting confused.

I have two access lists configured on a vlan like so:

vlan 20

ip access-group 140 in

ip access-group 139 out

If I have client "A" in vlan 20 and it wants to communicate with a server "B" in a remote location how do I write the access list to allow "A" to connect to port 3124 on "B" but allow any connections from "B" to "A".

Thanks

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: which way is out and in when looking at an access-list

Dan

An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.

An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.

So

access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)

int vlan 20

ip access-group 101 in

If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic

access-list 102 permit ip host host

int vlan 20

ip access-group 102 out

Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: which way is out and in when looking at an access-list

Dan

An access-list applied inbound on a vlan interface controls traffic coming FROM devices on that vlan.

An access-list applied outbound on a vlan interface controls traffic going TO devices on that vlan.

So

access-list 101 permit tcp host host eq 3124 (note i've assumed port 3124 is TCP)

int vlan 20

ip access-group 101 in

If you want to allow any connections from B to A you could just not bother with an acl but assuming you need to filter other traffic

access-list 102 permit ip host host

int vlan 20

ip access-group 102 out

Edit - forgot to mention always remember there is an implicit "deny ip any any" at the end of any access-list so you may need to add other things to the acl examples given above.

Jon

New Member

Re: which way is out and in when looking at an access-list

Brilliant Jon,

Thanks for your help, cleared up a real problem. Don't know what I'd do without you!! :)

Thanks

Dan

131
Views
0
Helpful
2
Replies