02-24-2021 06:06 PM
Hi I need some help in creating that ACL on Cisco multilayer switch.
1) I want to allow all traffic between these subnets
10.75.0.0/22 ------ 10.0.0.0/8
2)) I want to allow only http traffic and block the remaining traffic between the following subnets .
10.157.0.0 /15 --- 10.0.0.0/8
10.165.0.0 /16 ---- 10.0.0.0/8
3) I want to block all traffic between these subnets
10.157.0.0/15 ---- 10.185.0.0/16
Please find my below mentioned config . My question is
do i need to mention "permit ip any any" at the end of that access-list ?
Ip access-list extended test1
permit ip 10.75.0.0 0.0.3.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 10.75.0.0 0.0.3.255
permit tcp 10.157.0.0 0.1.255.255 10.0.0.0 0.255.255.255 eq 80
permit tcp 10.0.0.0 0.255.255.255 10.157.0.0 0.1.255.255 eq 80
permit tcp 10.165.0.0 0.0.255.255 10.0.0.0 0.255.255.255 eq 80
permit tcp 10.0.0.0 0.255.255.255 10.165.0.0 0.0.255.255 eq 80
deny ip 10.157.0.0 0.1.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 10.157.0.0 0.1.255.255
deny ip 10.165.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 10.165.0.0 0.0.255.255
deny ip 10.157.0.0 0.1.255.255 10.185.0.0 0.15.255.255
deny ip 10.185.0.0 0.15.255.255 10.157.0.0 0.1.255.255
permit ip any any
---
interface vlan 2
ip access-group test1 in
-------
02-24-2021 08:20 PM
Hi
Can you give more details on how your architecture is? What are your actual SVIs? Where you want to apply these ACLs?
The config you shared has bi-directional ACE in each ACL and then you’re applying it SVI vlan 2. What is this SVI?
Also for the ACL to allow http traffic, is the subnet 10.157 or 10.165 the one having http servers or are these vlans the source of traffic and 10.0.0.0/8 the destination?
02-25-2021 06:41 AM
Hi
Thanks for the reply . Actually The communication between these subnets is happened only in this SVI ( interface vlan 2) so thats why i want to apply ACL on this interface.
10.75.0.0/22 (source )------ 10.0.0.0/8 (destination)
2)) I want to allow only http traffic and block the remaining traffic between the following subnets .
10.157.0.0 /15 (source ) --- 10.0.0.0/8 (destination)
10.165.0.0 /16 ( source) ---- 10.0.0.0/8 (destination)
3) I want to block all traffic between these subnets
10.157.0.0/15 (source)---- 10.185.0.0/16 (destination)
Last time when I applied this ACL it did not work (i did not add "permit ip any any " at the end of it during that time ) so thats why i was wandering if i need to add "permit ip any any " at the end in my ACL to make it work this time ?
Thanks
02-25-2021 01:36 PM
As mentioned if the acl is applied inbound you don't need lines for both directions.
What is the IP address assigned to vlan 2 ?
Is there any other traffic other than what you have mentioned that you want to allow because if there is then yes you would need the "permit ip any any" at the end.
Jon
02-26-2021 09:32 AM
sorry it needs to be in both directions. It is working now with permit ip any any . Thanks everyone for looking into this .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: