Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
0
Helpful
5
Replies

Re: Configuring and applying ACL on Cisco 6509 switch IOS 12.2

m-laing
Level 1
Level 1

‎12-23-2004 09:44 AM - edited ‎03-02-2019 08:45 PM

Is there a difference in configuring ACL on catalyst 3550 and 6509 switch. I find that when i apply IOS ACL on the 6509 switch i am not getting the desired result. Can you suggest using an example a basic ACL config that works.

How is the IOS ACL applied?

Thank You

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎12-23-2004 11:32 AM

In an IOS environment you configure an access list in global configuration mode with the command access-list or the command ip access-list standard/extended depending on whether you want numbered or named access lists. In the access list you specify the permits and denys that you want to use. After the access list is configured you apply it on the routed interface (interface vlan #) with the command ip access-group in/out depending on whether you want the access list to filter inbound or outbound traffic.

HTH

Rick

HTH

Rick
0 Helpful

m-laing
Level 1
Level 1

‎12-23-2004 01:28 PM

I have applied the same principle to the 6509 switch, however i am not getting the desired result

For example

access-list 101 deny ip host 10.20.200.51 host 10.20.0.49

applied to vlan 2

int vlan 2

1p access-group 101 in

When the above ACL is applied Host 10.20.0.49 is not able to ping 10.20.200.51.

I have changed the direction of the ACL and i'm obtaining similar results.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to m-laing

‎12-23-2004 01:54 PM

The behavior you describe is because the access list that you created said to deny traffic between the source host and the destination host. Change the access list to permit and try it again.

One important tip about access lists is that every access list must permit something. This is related to the fact that at the end of every access list is an implied deny all.

HTH

Rick

HTH

Rick
0 Helpful

m-laing
Level 1
Level 1
In response to Richard Burts

‎12-23-2004 02:17 PM

I am trying the following test scenario

To permit host10.10.200.51 access to dns and http services

access-list 101 Permit udp host 10.20.200.51 eq domain host 10.10.100.1 eq domain

access-list 101 permit tcp host 10.20.200.51 eq www any eq www

Applied on VLan in direction

When this is applied either in the in or out of say VLAN 50 the host is not able to browse. IP addresses were assigned statically

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to m-laing

‎12-23-2004 07:30 PM

Your access list is flawed in the way it specifies the same port as source and destination. There are only a few applications where the source port and destination port are the same (NTP is one example of that). Most of the time the source port and the destination port are different.

You will need to think about the direction the access list will be applied and its relation to the flow of traffic. If a PC in your network is sending a DNS request then the source port will be some high numbered port and the destination port will be domain. When the response comes back domain will be the source port and the high number port will be the destination. Similarly for WWW, some high port is the source when the PC is trying to browse with www as the destination. And in the response coming back WWW is the source and the high port is the destination.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents