02-23-2006 08:17 AM - edited 03-03-2019 01:58 AM
I have the following configuration in the msfc of a catalyst 6509:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
I think to carry out the following configuration:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
ip access-group 103 in
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
access-list 103 deny any any
Is correct?
Some recomendation?
02-23-2006 08:44 AM
You could make the acl a bit shorter:
access-list 103 permit ip 172.23.60.0 0.0.0.15 host 172.23.11.3
This will allow for incoming traffic from ip 60.1-15 and nothing else. The "deny any any" at the end is useless unless you is one of those security freaks that like to log all denies.
It should be: "any any log" in that case
Regards,
Leo
02-23-2006 11:54 AM
I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
Interface Vlan5
ip access-group 3 in
HTH,
Ryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide