Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
4
Replies

Stupid ACL issue

jmgeldhof
Level 1
Level 1

‎03-11-2003 01:46 AM - edited ‎03-02-2019 05:45 AM

Hi, everybody,

I have to setup a very simple (in my opinion) ACL on a MSFC. As I'm new in ACL's, please help....

Issue:

Allow access from vlan 10 only to/from servers A and B on vlan 20 (IP only), servers C and D on vlan 30 (for DHCP and DNS). Nobody on vlan 10 can do anything to any other server on any vlan.

I tried these config's:

access-list 101 permit ip any host serverA_on_vlan20

access-list 101 permit ip any host serverB_on_vlan20

access-list 101 permit udp any host serverC_on_vlan30

access-list 101 permit udp any host serverD_on_vlan30

interface Vlan10

description === WIRELESS TOURIST VLAN ===

...

ip access-group 101 in

With this config, I just had access to.... everything (IP, telnet, ping,...)

by adding "access-list 101 deny ip any any", I had access to ... nothing anymore.

Thanks for all,

Jean-Michel

Labels:
0 Helpful
4 Replies 4

jolmo
Level 4
Level 4

‎03-11-2003 04:21 AM

I think you should use ACL 101 as outbound instead of inbound. So put in int Vlan10 "ip access-group 101 out " instead of "in".

Don't nedd to add "access-list 101 deny ip any any".

Hope this helps and please let me know.

0 Helpful

dwallwork
Level 1
Level 1
In response to jolmo

‎03-13-2003 09:24 PM

You are technically correct that there is no mandatory requirement for "access-list 101 deny ip any any" as that deny statement is implied. However, it is still good practice to include it anyway so that hits on it can be tracked through logging. Just a suggestion.

0 Helpful

Slowmo
Level 1
Level 1

‎03-11-2003 10:23 AM

I would agree with the other response, you did not state which interface you applied the ACL to, but it looks like it is either on the wrong interfac or is going in the wrong direction.

0 Helpful

jcengh
Level 1
Level 1

‎03-21-2003 09:59 PM

In looking at your configuration, I have to agree with the other replies about the direction(in/out) of your ACLs via the access-group statement. I also agree about the implicit deny that should be added at the end of your ACL. In addition, you are allowing specific traffic out, but there may be an issue about not specifying the traffic that should be allowed back to vlan10.

What I mean is if you do not specify what is allowed back to vlan10 then when the ACL entries are all tried, all remaining traffic will be denied and as a result, replies back to your requests from vlan10 to the servers on vlan20 and vlan30 will be denied as well. I hope this helps resolve the ACL issue.

0 Helpful
Customers Also Viewed These Support Documents