le 05-12-2022 10:39 AM
Hello can someone help me im trying to configure an access-list so that only my pc (x.x.x.x) can communicate with host y.y.y.y
Here's what ive done
no ip access-list extended TI_ADMIN
ip access-list extended TI_ADMIN
permit ip host x.x.x.x host y.y.y.y
deny ip any host y.y.y.y
permit ip any any
interface GigabitEthernet5/0/43
description Server y.y.y.y
ip access-group TI_ADMIN out
Like that it's working...only my pc can communicate with server y.y.y.y but the problem is that my server y.y.y.y cannot reach any pc anymore
I don't want to limit server y.y.y.y to reach any device on any network
Thanks !
05-12-2022 11:01 AM - modifié 06-12-2022 05:12 PM
check my below comment
le 05-12-2022 11:08 AM
Add another list as example to get an idea.
ip access-list extended Server-out
permit ip host y.y.y.y any
!
interface GigabitEthernet5/0/43
ip access-group Server-out in
le 05-12-2022 12:33 PM
Same thing my device cannot ping 8.8.8.8 after and cannot initiate smtp traffic
le 06-12-2022 02:42 AM
Same thing my device cannot ping 8.8.8.8 after and cannot initiate smtp traffic
what device - what is the IP address ?
ip access-list extended TI_ADMIN
deny ip any host y.y.y.y - < remove this line and test it
still not working post update ACL and show run int GigabitEthernet5/0/43
le 06-12-2022 05:14 AM
When i said my device cannot ping 8.8.8.8 i mean the IDRAC server y.y.y.y
Ive remove the line deny ip any host y.y.y.y in the access-list TI_ADMIN. Now i can ping 8.8.8.8 from IDRAC Server but any pc can reach it
sh access-lists TI_ADMIN
Extended IP access list TI_ADMIN
10 permit ip host 192.168.x.x host 192.168.y.y
20 permit ip any any
sh access-lists SERVERS_OUT
Extended IP access list SERVERS_OUT
10 permit ip host 192.168.y.y any
interface GigabitEthernet5/0/43
description IDRAC
switchport access vlan 10
switchport mode access
ip arp inspection trust
ip access-group SERVERS_OUT in
ip access-group TI_ADMIN out
spanning-tree portfast
end
le 06-12-2022 05:43 AM
this is PACL,
can you just mention what is connect to this port 192.168.x.x or 192.168.y.y ?
le 06-12-2022 11:28 AM
192.168.x.x = Windows 10
192.168.y.y = Dell IDrac management server
le 06-12-2022 05:18 PM
as I know PACL only accept IN direction not OUT
anyway
I think about your issue last night, only solution I found for
make only one Host connect to Server that both in same VLAN and prevent other host of same vlan from connect
and make any host in other VLAN connect to server is using VACL
R3,R2,R4 share same subnet
I config VACL to make R3 can ping R2
but
R4 can not ping R2
AND
R5 (which is different VLAN) can ping R2.
R1 is GW for both VLAN
take look to my config
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres
Parcourez les liens directs de la Communauté et profitez de contenus personnalisés en français