03-11-2003 01:46 AM - edited 03-02-2019 05:45 AM
Hi, everybody,
I have to setup a very simple (in my opinion) ACL on a MSFC. As I'm new in ACL's, please help....
Issue:
Allow access from vlan 10 only to/from servers A and B on vlan 20 (IP only), servers C and D on vlan 30 (for DHCP and DNS). Nobody on vlan 10 can do anything to any other server on any vlan.
I tried these config's:
access-list 101 permit ip any host serverA_on_vlan20
access-list 101 permit ip any host serverB_on_vlan20
access-list 101 permit udp any host serverC_on_vlan30
access-list 101 permit udp any host serverD_on_vlan30
interface Vlan10
description === WIRELESS TOURIST VLAN ===
...
ip access-group 101 in
With this config, I just had access to.... everything (IP, telnet, ping,...)
by adding "access-list 101 deny ip any any", I had access to ... nothing anymore.
Thanks for all,
Jean-Michel
03-11-2003 04:21 AM
I think you should use ACL 101 as outbound instead of inbound. So put in int Vlan10 "ip access-group 101 out " instead of "in".
Don't nedd to add "access-list 101 deny ip any any".
Hope this helps and please let me know.
03-13-2003 09:24 PM
You are technically correct that there is no mandatory requirement for "access-list 101 deny ip any any" as that deny statement is implied. However, it is still good practice to include it anyway so that hits on it can be tracked through logging. Just a suggestion.
03-11-2003 10:23 AM
I would agree with the other response, you did not state which interface you applied the ACL to, but it looks like it is either on the wrong interfac or is going in the wrong direction.
03-21-2003 09:59 PM
In looking at your configuration, I have to agree with the other replies about the direction(in/out) of your ACLs via the access-group statement. I also agree about the implicit deny that should be added at the end of your ACL. In addition, you are allowing specific traffic out, but there may be an issue about not specifying the traffic that should be allowed back to vlan10.
What I mean is if you do not specify what is allowed back to vlan10 then when the ACL entries are all tried, all remaining traffic will be denied and as a result, replies back to your requests from vlan10 to the servers on vlan20 and vlan30 will be denied as well. I hope this helps resolve the ACL issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide