Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
5
Helpful
2
Replies

Configuring Access List

peguayapero
Level 1
Level 1

‎02-23-2006 08:17 AM - edited ‎03-03-2019 01:58 AM

I have the following configuration in the msfc of a catalyst 6509:

interface Vlan5

description Vlan Medidores Electricos

ip address 172.23.60.1 255.255.255.0

no ip unreachables

no ip directed-broadcast

interface Vlan1

description Vlan Usuarios Pz-Jose

ip address 172.23.8.1 255.255.252.0

no ip unreachables

no ip directed-broadcast

In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.

I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.

I think to carry out the following configuration:

interface Vlan5

description Vlan Medidores Electricos

ip address 172.23.60.1 255.255.255.0

ip access-group 103 in

no ip unreachables

no ip directed-broadcast

interface Vlan1

description Vlan Usuarios Pz-Jose

ip address 172.23.8.1 255.255.252.0

no ip unreachables

no ip directed-broadcast

access-list 103 permit ip host 172.23.60.2 host 172.23.11.3

access-list 103 permit ip host 172.23.60.3 host 172.23.11.3

access-list 103 permit ip host 172.23.60.4 host 172.23.11.3

access-list 103 permit ip host 172.23.60.5 host 172.23.11.3

access-list 103 permit ip host 172.23.60.6 host 172.23.11.3

access-list 103 permit ip host 172.23.60.7 host 172.23.11.3

access-list 103 permit ip host 172.23.60.8 host 172.23.11.3

access-list 103 permit ip host 172.23.60.9 host 172.23.11.3

access-list 103 permit ip host 172.23.60.10 host 172.23.11.3

access-list 103 permit ip host 172.23.60.11 host 172.23.11.3

access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255

access-list 103 deny any any

Is correct?

Some recomendation?

Labels:
0 Helpful
2 Replies 2

lgijssel
Level 9
Level 9

‎02-23-2006 08:44 AM

You could make the acl a bit shorter:

access-list 103 permit ip 172.23.60.0 0.0.0.15 host 172.23.11.3

This will allow for incoming traffic from ip 60.1-15 and nothing else. The "deny any any" at the end is useless unless you is one of those security freaks that like to log all denies.

It should be: "any any log" in that case

Regards,

Leo

dnewell24
Level 1
Level 1

‎02-23-2006 11:54 AM

I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.

access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15

Interface Vlan5

ip access-group 3 in

HTH,

Ryan

Customers Also Viewed These Support Documents