Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assistance wth Access-list

Need configuration assistance on 6509: Goal is to block inbound traffic on interface except from 10.60.0.0 and 10.90.0.0

This is what I have but is not working - what am I missing

6509

interface vlan xx

ip access-group 100 in

!

ip access-list standard 100

permit ip 10.60.0.0 any

permit ip 10.90.0.0 any

deny ip any any

on pix

access-list 100 permit ip 10.60.0.0

access-list 100 permit ip 10.90.0.0

1 REPLY

Re: Assistance wth Access-list

Hi Johanna,

The access-list would be the following:

ip access-list standard traffic_in

permit 10.60.0.0 0.0.255.255

permit 10.90.0.0 0.0.255.255

interface vlan xx

ip access-group traffic_in in

If you use "permit 10.60.0.0" only in the access-list, then it will permit the 10.60.0.0 source address only, not the entire subnet.

My supposition is that the subnets are:

10.60.0.0 255.255.0.0

10.90.0.0 255.255.0.0

This is why I chose the given wildcard mask in the access-list.

You don't have to put "deny any" at the end of the access-list, because there is an implicit deny at the end anyway.

Cheers:

Istvan

210
Views
0
Helpful
1
Replies
CreatePlease to create content