Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2820
Views
0
Helpful
5
Replies

IP Port ACL on 3750

mike.gilner
Level 1
Level 1

‎07-26-2005 10:46 AM - edited ‎03-02-2019 11:30 PM

Running IOS 12.2(20)SE4

I'm trying to create a port ACL to lock down access to a server. Here's an ACL I tried to create:

access-list 6 deny host 10.55.6.145

access-list 6 permit any

When I apply it to the interface I type:

interface gigabitethernet1/0/11

ip access-group 6 in

With this ACL in place I can still access the server on port 11 from the host (10.55.6.145) that should be denied.

Any ideas?

Labels:
0 Helpful
5 Replies 5

pvezina
Level 1
Level 1

‎07-26-2005 12:36 PM

You applied the access-list inbound, this means packets coming from the server to the switch. A Standard access-lists are configurable based on source IP addresses, and in this case it is the destination (the host) that you want to deny. Change the "ip access-group 6" to "out" and it should work.

0 Helpful

mike.gilner
Level 1
Level 1
In response to pvezina

‎07-26-2005 01:00 PM

I don't think I can use the "out" option since I'm configuring a Port ACL. As far as I know, Port ACL's can only be applied in the inbound direction, at least on the 3750 with the IOS I'm running. I tried "out" just in case, but it shot back with an error.

Am I wrong here?

0 Helpful

b-ulrich
Level 3
Level 3
In response to mike.gilner

‎07-26-2005 01:29 PM

Hi,

I know for the 3560's port acl's are only allowed inbound. I assume this is what you are running into on the 3750's.

Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2 interface.

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85c5.html

0 Helpful

pvezina
Level 1
Level 1
In response to b-ulrich

‎07-27-2005 05:51 AM

In that case, I would use an extended access-list near the host, so you can deny the traffic near the source. This way you will be able to filter based on destination IP address.

0 Helpful

mike.gilner
Level 1
Level 1
In response to pvezina

‎07-27-2005 08:25 AM

Other than creating and adding an ACL to a port, are there any other steps I'm missing to enable port IP ACL's? Things seem to not be working whatsoever. For example:

deny host 10.22.45.19

permit 10.22.45.0, wildcard bits 0.0.0.255

When this is applied to the port on the switch of the server I'm trying to protect, 10.22.45.19 can still talk to the server, as can everything else. Even hosts that should be blocked by the implicit deny rule.

0 Helpful
Customers Also Viewed These Support Documents